Malicious PDF — malware analysis report

Static analysis result for SHA-256 c933e5b20b7af7ec…

MALICIOUS

PDF

50.0 KB Created: 2020-08-14 14:52:56 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 54c2953048281d98c0aeed863e5bfca6 SHA-1: 3e5de79c0fc81705b02aff1b3885853184e08894 SHA-256: c933e5b20b7af7ec1d2f05c404852848553dbf2a847196f69d46313057715e61
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF file contains a critical heuristic indicating it's a malicious redirector link, pointing to a URL that impersonates a WhatsApp update. This URL is likely designed to trick users into downloading malware or providing sensitive information. The PDF also contains a large number of embedded links, many of which point to Shopify domains, suggesting a link farm used for SEO poisoning or to obscure the final malicious destination. The document body, though heavily corrupted, contains the lure text 'Aggiornamento whatsapp 2018 android' and the malicious URL.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.com/pify?keyword=aggiornamento+whatsapp+2018+android
    • http://files.servantconferences.com/uploads/1/3/2/6/132680869/batupu.pdf
    • http://files.nbhctoledo.com/uploads/1/3/1/0/131070450/navoxoru.pdf
    • http://files.ssls-eg.com/uploads/1/3/1/4/131453022/fb3927a04.pdf
    • http://sojote.photosintheatticproject.com/uploads/1/3/1/0/131070374/7c66bf.pdf
    • https://cdn.shopify.com/s/files/1/0437/3846/4405/files/convolutional_neural_network_python.pdf
    • https://cdn.shopify.com/s/files/1/0432/1463/5165/files/93430611720.pdf
    • https://cdn.shopify.com/s/files/1/0431/6191/1460/files/27093071465.pdf
    • https://cdn.shopify.com/s/files/1/0433/0687/7080/files/pewobaropelizovijekozuji.pdf
    • https://cdn.shopify.com/s/files/1/0432/9170/5500/files/mugadu.pdf
    • https://cdn.shopify.com/s/files/1/0436/3390/1726/files/tunogoboxar.pdf
    • https://cdn.shopify.com/s/files/1/0432/7348/6496/files/wopavojibonuterokawilofak.pdf
    • https://cdn.shopify.com/s/files/1/0431/5892/9570/files/how_to_cite_report.pdf
    • https://cdn.shopify.com/s/files/1/0428/5241/7703/files/19729675425.pdf
    • https://cdn.shopify.com/s/files/1/0428/9835/8432/files/muzoguganava.pdf
    • https://cdn.shopify.com/s/files/1/0431/1279/2221/files/electric_circuits_10th_edition_nilsson.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00008263.bin
2cb27e364d8aebfd8e518c627da573249d0e3974bb4e86c6bb966ee5eadc1d50		 pdf-font-stream PDF embedded font (sfnt) at offset 0x8263 5940 bytes
font_01_sfnt_off0000967e.bin
956131be8ac23c23371f90dfa8db14c11e1a972485e5655b374e34322fd82a41		 pdf-font-stream PDF embedded font (sfnt) at offset 0x967E 11528 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.