Malicious PDF — malware analysis report

Static analysis result for SHA-256 c4d0b48ecfe55dd0…

MALICIOUS

PDF

45.8 KB Created: 2020-07-31 08:59:42 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 89950261f6954a676db4276ee77cbcd0 SHA-1: 9761c653c739541ef995e6dd8525822d3851ce1a SHA-256: c4d0b48ecfe55dd0bfd85e80e8c4deec9832663b17dd5fa05c5822377c4ee0e0
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF file contains a large number of embedded links, with one identified as a known malicious redirector. The document body, though heavily obfuscated, appears to be a lure related to a '21 day ketogenic diet plan pdf free'. The presence of numerous external links suggests an attempt to drive traffic to potentially malicious sites or phishing pages. No scripts were extracted from this sample.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.cc/pify?keyword=21+day+ketogenic+diet+plan+pdf+free
    • http://files.yggllwyncelyn.cymru/uploads/1/3/1/4/131453365/1764739.pdf
    • http://files.coachtbasketball.com/uploads/1/3/2/6/132681971/b15c9ba1731.pdf
    • http://files.bebebreaphotography.com/uploads/1/3/1/3/131384599/xazujetagi.pdf
    • http://files.vivalavisaa.com/uploads/1/3/1/6/131606231/1008221.pdf
    • http://files.takemeshopping.co.nz/uploads/1/3/1/3/131398338/5600658.pdf
    • https://cdn.shopify.com/s/files/1/0433/0474/7168/files/54430565583.pdf
    • https://cdn.shopify.com/s/files/1/0433/2060/6885/files/zogezimiz.pdf
    • https://cdn.shopify.com/s/files/1/0427/8406/3654/files/18361563690.pdf
    • https://cdn.shopify.com/s/files/1/0437/6743/1320/files/gafuvinidalasapu.pdf
    • https://cdn.shopify.com/s/files/1/0428/9118/2243/files/nuxedavokepekagip.pdf
    • https://cdn.shopify.com/s/files/1/0430/8929/7568/files/46324180498.pdf
    • https://cdn.shopify.com/s/files/1/0436/2344/8736/files/86424776548.pdf
    • https://cdn.shopify.com/s/files/1/0433/9721/8460/files/toduwobi.pdf
    • https://cdn.shopify.com/s/files/1/0433/5425/9606/files/dananiviwofekokimobi.pdf
    • https://cdn.shopify.com/s/files/1/0437/5881/3336/files/dufewuwodugebeb.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000076b1.bin
a2d6c65ccf32b6596e7e860d1deb951a8ef8f1e0fc5c2e8163f9ede8a099b907		 pdf-font-stream PDF embedded font (sfnt) at offset 0x76B1 5188 bytes
font_01_sfnt_off0000886e.bin
63a14ee2d92fb8b791ea1a67aa6d8c47ae5090bd146bbc6d2e7ed7b244b199e4		 pdf-font-stream PDF embedded font (sfnt) at offset 0x886E 9848 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.