Malicious PDF — malware analysis report

Static analysis result for SHA-256 c8a3986bb23ae236…

MALICIOUS

PDF

37.4 KB Created: 2020-08-18 17:39:06 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 4c7d2088cf5eef86f1bab93b03a4504d SHA-1: 5eeb927456ef0e6e5c42af91c2fbaee960d02e44 SHA-256: c8a3986bb23ae236c391a79e26a42c44cd52fa9d39ddabba3cf4316f9ad4f601
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF file contains numerous embedded links, with one identified as a malicious redirector. The document body, though heavily obfuscated, contains text related to a 'tech sheet' and includes the malicious URL. This suggests a social engineering attack where the user is tricked into clicking a link that leads to malicious infrastructure. No scripts were extracted, and the primary malicious activity appears to be the redirection via the embedded link.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.com/pify?keyword=eternally+silenced+wine+tech+sheet
    • http://files.cowboys4heroes.com/uploads/1/3/2/6/132682929/11d28a05.pdf
    • http://files.johncharlespennington.com/uploads/1/3/2/7/132712234/ligusaxoxu_paniv_vexapipal_pijirisinuz.pdf
    • http://bedijaxo.iplacenta.eu/uploads/1/3/0/9/130969204/2002f.pdf
    • http://files.pocketswine.com/uploads/1/3/1/4/131454098/8786235.pdf
    • http://files.bulldogrestorationservices.com/uploads/1/3/1/8/131857565/namonekikibeworazix.pdf
    • https://cdn.shopify.com/s/files/1/0432/1817/4120/files/behind_blue_eyes_piano.pdf
    • https://cdn.shopify.com/s/files/1/0429/6874/4087/files/fanijo.pdf
    • https://cdn.shopify.com/s/files/1/0431/6980/8548/files/pejafefepinetajufage.pdf
    • https://cdn.shopify.com/s/files/1/0435/6472/8479/files/battletech_painting_guide.pdf
    • https://cdn.shopify.com/s/files/1/0437/2742/1608/files/92452661664.pdf
    • https://cdn.shopify.com/s/files/1/0431/2776/7206/files/suriwanafatufiwipekudi.pdf
    • https://cdn.shopify.com/s/files/1/0434/3712/9895/files/all_maths_formulas_for_ssc_cgl.pdf
    • https://cdn.shopify.com/s/files/1/0437/7565/6094/files/xesujamopag.pdf
    • https://cdn.shopify.com/s/files/1/0437/7778/6018/files/cartoon_video_chhota_bheem_cartoon_video.pdf
    • https://cdn.shopify.com/s/files/1/0432/7879/4917/files/34702189299.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00005228.bin
ccbd3fb4f7bd29890c9c487662334b76b813be84f01ee19878214c5b69156dd3		 pdf-font-stream PDF embedded font (sfnt) at offset 0x5228 5176 bytes
font_01_sfnt_off000063cb.bin
dd5bec88a8d3f2a3fcdc1cabe39b51ce77ed0df6a468a89cf081a048dbce056b		 pdf-font-stream PDF embedded font (sfnt) at offset 0x63CB 10828 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.