Malicious PDF — malware analysis report

Static analysis result for SHA-256 c23bea0fba2ac9b1…

MALICIOUS

PDF

53.2 KB Created: 2020-08-18 20:27:04 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 90879edd238f8f66e0edfd1f0934f1ed SHA-1: 94a1216bd6d508f9b130e69e2c5b24a9c82fb46f SHA-256: c23bea0fba2ac9b13381a269b27be21b1b1dcf5e7e0a6b97df7c0b2007faab28
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF contains a link farm designed to appear as search results, with the primary link directing to a known malicious redirector. The document body, though heavily obfuscated, contains the URL that triggers the heuristic firings. The presence of numerous links to Shopify domains suggests an attempt to blend malicious links with legitimate content to evade detection.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.ru/pify?keyword=blackbird+beatles+chords+pdf
    • http://files.thewardrobeletters.com/uploads/1/3/1/8/131856919/08ba2.pdf
    • http://files.edwardkentwatson.com/uploads/1/3/1/4/131454770/gogavutip-jivogusuki.pdf
    • http://files.hikingnewfoundland.com/uploads/1/3/2/6/132682282/e682f2.pdf
    • http://files.healthblc.com/uploads/1/3/0/7/130776058/levokitulovenu.pdf
    • http://files.shopsuper-nova.com/uploads/1/3/1/8/131856212/9d35af6d1.pdf
    • https://cdn.shopify.com/s/files/1/0433/0032/3478/files/car_seat_poncho_pattern.pdf
    • https://cdn.shopify.com/s/files/1/0434/9270/4408/files/4981716563.pdf
    • https://cdn.shopify.com/s/files/1/0427/6387/8566/files/fugexeta.pdf
    • https://cdn.shopify.com/s/files/1/0431/4651/0504/files/kijoditenis.pdf
    • https://cdn.shopify.com/s/files/1/0431/6105/9477/files/zexufemuxom.pdf
    • https://cdn.shopify.com/s/files/1/0430/4951/7205/files/maths_problem_solving_worksheets_ks2.pdf
    • https://cdn.shopify.com/s/files/1/0429/9541/7237/files/fipiwulaguropevuz.pdf
    • https://cdn.shopify.com/s/files/1/0432/2849/6036/files/sidapibe.pdf
    • https://cdn.shopify.com/s/files/1/0429/8915/8554/files/rufilukuxasenoxupo.pdf
    • https://cdn.shopify.com/s/files/1/0428/6968/6431/files/flush_by_carl_hiaason.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00006dd9.bin
82e0607294ae083a676b49435ea449f86035dfa2924f1db7fed6190c752445ef		 pdf-font-stream PDF embedded font (sfnt) at offset 0x6DD9 5496 bytes
font_01_sfnt_off00008078.bin
086d8febc5291a7c1d156002a62ff1d5489f17924ccd0845878b07b800c3172f		 pdf-font-stream PDF embedded font (sfnt) at offset 0x8078 15364 bytes
font_02_sfnt_off0000b096.bin
e93acd332f5893643511f4cefd38969ad5c744ad1b08842a788b6be7d277dd15		 pdf-font-stream PDF embedded font (sfnt) at offset 0xB096 16204 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.