Malicious PDF — malware analysis report

Static analysis result for SHA-256 c58d2507e4c6027a…

MALICIOUS

PDF

67.6 KB Created: 2020-07-26 07:34:58 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 7a3a397aef4fe0c379c91c8509f25bfd SHA-1: 5bfdfa0c7ab1da3196f0801988a1fdb92c45d1c5 SHA-256: c58d2507e4c6027a51fd6e62e23982401b61a7ba86c9f072fcfafa7ab630f12f
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF file contains a large number of embedded links, many of which point to external PDF documents hosted on various domains. One of these links, 'https://ttraff.ru/pify?keyword=madam+secretary+2019+episode+guide', is identified as a known malicious redirector. The document's structure suggests it's designed to lure users into clicking through these links, potentially leading them to malicious content or further compromise.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.ru/pify?keyword=madam+secretary+2019+episode+guide
    • http://files.shidokanatl.com/uploads/1/3/2/6/132695719/wazamebadadazut-togumov-dofipokorebabub.pdf
    • http://files.morabezacatering.com/uploads/1/3/0/7/130740375/basifepexojotelazuz.pdf
    • http://files.southamptonelempto.com/uploads/1/3/2/7/132712163/limopukozedamam.pdf
    • http://files.rceslibrary.com/uploads/1/3/0/7/130739308/c417c87a7184d.pdf
    • https://cdn.shopify.com/s/files/1/0431/6377/9240/files/67268701810.pdf
    • https://cdn.shopify.com/s/files/1/0433/5131/0488/files/95690020754.pdf
    • https://cdn.shopify.com/s/files/1/0430/8720/0418/files/fesefewowukutopewitop.pdf
    • https://cdn.shopify.com/s/files/1/0428/9835/8432/files/63912397784.pdf
    • https://cdn.shopify.com/s/files/1/0433/0687/7080/files/78649322563.pdf
    • https://cdn.shopify.com/s/files/1/0432/2318/7614/files/konupowotasizanizuw.pdf
    • https://cdn.shopify.com/s/files/1/0428/1312/8863/files/92118216414.pdf
    • https://cdn.shopify.com/s/files/1/0428/5222/1091/files/jevufidox.pdf
    • https://cdn.shopify.com/s/files/1/0433/5294/8901/files/91306570800.pdf
    • https://cdn.shopify.com/s/files/1/0433/0687/7080/files/wudusojixidotivage.pdf
    • https://cdn.shopify.com/s/files/1/0436/1430/6467/files/4442374413.pdf
    • https://cdn.shopify.com/s/files/1/0436/5670/8254/files/78585676054.pdf
    • https://cdn.shopify.com/s/files/1/0433/8240/7335/files/guretukopin.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000bc74.bin
e810e242fc71bc7c2dd145c34dd9763bb71eed4889632d15792aa712be6627a6		 pdf-font-stream PDF embedded font (sfnt) at offset 0xBC74 5724 bytes
font_01_sfnt_off0000d005.bin
455a965046df4a701ad2d8d31476a3b454a75ddd68168e8b4a8af54e1f6d5b75		 pdf-font-stream PDF embedded font (sfnt) at offset 0xD005 15764 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.