Malicious PDF — malware analysis report

Static analysis result for SHA-256 ca5aa9153b907177…

MALICIOUS

PDF

37.3 KB Created: 2020-08-22 21:29:36 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 8ad8e0b19d25dabc5d87434dfab4671b SHA-1: 9cccedf65ad5d9e909ee66631c80d6b7d118e866 SHA-256: ca5aa9153b9071773559501eb434e1e6a8afc4c1b48643714c988d0e71dc9005
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF contains a heuristic firing for a malicious redirector link, which is also present in the document body. This link is disguised as a search result for a school uniform store, indicating a phishing or social engineering lure. The PDF also contains a large number of embedded links, many pointing to Shopify, suggesting a link farm or SEO manipulation tactic to host malicious content. No scripts were extracted from this sample.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.cc/pify?keyword=belleville+nj+school+uniform+store
    • http://wonume.brianchilders.org/uploads/1/3/0/7/130775934/mutukakezek.pdf
    • http://jinizij.tacalliancedistributors.com/uploads/1/3/1/3/131398455/976a91ffb60202.pdf
    • https://cdn.shopify.com/s/files/1/0431/1482/3834/files/aristophanes_wasps.pdf
    • https://cdn.shopify.com/s/files/1/0434/4938/5126/files/cambridge_cae_1_listening_test_1.pdf
    • https://cdn.shopify.com/s/files/1/0431/7341/3028/files/pemelamubagi.pdf
    • https://cdn.shopify.com/s/files/1/0435/0168/2843/files/multiple_case_study_design.pdf
    • https://cdn.shopify.com/s/files/1/0433/2240/9125/files/advantages_of_case_study_research_design.pdf
    • https://cdn.shopify.com/s/files/1/0440/1584/5541/files/76089437077.pdf
    • https://cdn.shopify.com/s/files/1/0432/7319/1580/files/tifezilomakojisoliz.pdf
    • https://cdn.shopify.com/s/files/1/0431/8747/0496/files/4864187895.pdf
    • https://cdn.shopify.com/s/files/1/0434/8100/6244/files/gakizixisujowefififefus.pdf
    • https://cdn.shopify.com/s/files/1/0433/2814/3510/files/19008230084.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00004761.bin
db2885da2f14dcaa0b00dea71f16ba73e311da82d881911ee820483647ef2420		 pdf-font-stream PDF embedded font (sfnt) at offset 0x4761 4980 bytes
font_01_sfnt_off00005829.bin
cba99ef4e673fd4cfff04790dc06c463fd930c9a18f7cc74073e3d168168e32f		 pdf-font-stream PDF embedded font (sfnt) at offset 0x5829 9964 bytes
font_02_sfnt_off00007a40.bin
0d0f64e27578eb124b8bc81c7eceacdd166e22eddd95c81328e9fbd7de2a6333		 pdf-font-stream PDF embedded font (sfnt) at offset 0x7A40 4324 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.