Malicious PDF — malware analysis report

Static analysis result for SHA-256 cd77aa5c5a9399e7…

MALICIOUS

PDF

42.4 KB Created: 2020-08-02 11:41:40 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 5709cd31683a8f7bc6022e0d4e15c96c SHA-1: 93564dbc02cccf688c5114eb40c4c5602fe046cd SHA-256: cd77aa5c5a9399e70f66fdc7bfd3c8718054f04fbb4da24af203cd98a0abd5e4
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF file contains numerous embedded links, with a critical heuristic identifying a malicious redirector. The document body, though heavily obfuscated, contains text referencing 'arrl technician study guide pdf' and includes the malicious URL. This suggests a social engineering tactic to drive traffic to potentially harmful sites. The presence of a malicious redirector URL indicates an attempt to obscure the final destination, likely for phishing or malware delivery.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.cc/pify?keyword=arrl+technician+study+guide+pdf
    • http://files.thestaratstar.com/uploads/1/3/0/8/130814601/joxew.pdf
    • http://files.informstamu.com/uploads/1/3/2/7/132740214/rijobezitupuzit-lunuzopiweweg.pdf
    • http://files.jeresuontausta.com/uploads/1/3/1/8/131871740/1753933.pdf
    • http://files.asdontheroad2019.org/uploads/1/3/1/3/131384424/likikatunopupe.pdf
    • https://cdn.shopify.com/s/files/1/0428/3406/7615/files/kupexu.pdf
    • https://cdn.shopify.com/s/files/1/0428/0408/4899/files/nabugef.pdf
    • https://cdn.shopify.com/s/files/1/0429/3492/7513/files/pikimedonilapalavotupi.pdf
    • https://cdn.shopify.com/s/files/1/0436/3331/1904/files/19336322230.pdf
    • https://cdn.shopify.com/s/files/1/0433/0687/7080/files/70913092576.pdf
    • https://cdn.shopify.com/s/files/1/0434/3057/6278/files/bonobas.pdf
    • https://cdn.shopify.com/s/files/1/0431/1531/5349/files/depiduwitoxazinajelix.pdf
    • https://cdn.shopify.com/s/files/1/0430/8054/8503/files/9623259556.pdf
    • https://cdn.shopify.com/s/files/1/0433/9538/3446/files/chains_book_questions_and_answers.pdf
    • https://cdn.shopify.com/s/files/1/0434/0888/3870/files/xajirovosononibi.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00006515.bin
000bac304c65e7f4ec2dc25980d7d8a2a30077db802de28f7efe52cc2a82c064		 pdf-font-stream PDF embedded font (sfnt) at offset 0x6515 5508 bytes
font_01_sfnt_off000077d7.bin
0b5e086b6fb993e3d99c8ccb12f4c9fde03ab75ac57b1e0bf60f75872d68efe3		 pdf-font-stream PDF embedded font (sfnt) at offset 0x77D7 10828 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.