Malicious PDF — malware analysis report

Static analysis result for SHA-256 c2ff84ad9e8aa110…

MALICIOUS

PDF

43.5 KB Created: 2020-08-26 11:21:49 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: feaa539f3b589038737184d2f42c8553 SHA-1: f2749961557044986eb2c7dfee8a86578c36b3af SHA-256: c2ff84ad9e8aa1103ac05a08e48a20cd6c1335ecca215d6ca26bd63b5f5a574c
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF file contains a large number of embedded links, with one specifically identified as a malicious redirector. This suggests the document's primary purpose is to lure the user to a malicious website through these links. No scripts were extracted from this sample, and the document body was heavily obfuscated, making it difficult to determine the exact nature of the lure beyond the presence of the malicious link.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.cc/pify?keyword=silver+crossword+clue+dan+word
    • http://files.revivapilates.com/uploads/1/3/0/9/130969368/388e7d0.pdf
    • https://cdn.shopify.com/s/files/1/0434/1504/4263/files/59186810783.pdf
    • https://cdn.shopify.com/s/files/1/0432/7643/5621/files/computer_lab_safety_rules.pdf
    • https://cdn.shopify.com/s/files/1/0432/4763/2548/files/fezufaposipukubeb.pdf
    • https://cdn.shopify.com/s/files/1/0437/8011/2535/files/classic_wow_druid_leveling_guide_kargoz.pdf
    • https://cdn.shopify.com/s/files/1/0430/4375/0049/files/mawilawumenenixoso.pdf
    • https://cdn.shopify.com/s/files/1/0432/1561/8203/files/5626793949.pdf
    • https://cdn.shopify.com/s/files/1/0452/8789/9297/files/commercial_photography_contract_template_uk.pdf
    • https://cdn.shopify.com/s/files/1/0440/7581/0966/files/eclipse_cdt_zip.pdf
    • https://cdn.shopify.com/s/files/1/0433/3459/8809/files/xefomutamuwejavugatituzu.pdf
    • https://cdn.shopify.com/s/files/1/0438/1078/3394/files/forsaken_dream_theater_piano_sheet_music.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00006d57.bin
09f3c4927c4939f9666a240870fb5b8cd53d6265d37d8725bbfdb0507401c378		 pdf-font-stream PDF embedded font (sfnt) at offset 0x6D57 5188 bytes
font_01_sfnt_off00007f0f.bin
dfabed924e9213fec04cca1ff227a34713611830f6c2dfa71b5c2778fa421176		 pdf-font-stream PDF embedded font (sfnt) at offset 0x7F0F 10096 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.