Malicious PDF — malware analysis report

Static analysis result for SHA-256 cf6724b4787b9e55…

MALICIOUS

PDF

45.5 KB Created: 2020-08-22 03:24:32 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: fce58f248b732a2ad112cd6ec5a3cc29 SHA-1: efe9e5f5e932a7fab9762da385e82c78e38158ad SHA-256: cf6724b4787b9e55194daa9551981f8a0701d62861ece8c237ea5357904aa018
128 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF file contains a link farm and a malicious redirector URL, indicating a phishing or scam attempt. The document body, though heavily obfuscated, contains text related to 'ID card psd templates free' and the malicious URL. The primary heuristic indicates the PDF links to known malicious redirector infrastructure, and another heuristic identifies it as a PDF link farm.

Heuristics 4

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTON
    Document contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.com/pify?keyword=id+card+psd+templates+free
    • http://lezikoku.oxfordcoffee.com/uploads/1/3/0/7/130775379/0ce191ff.pdf
    • http://files.moirsa.org/uploads/1/3/0/9/130969981/pukijalamagubabunu.pdf
    • http://files.ellisensemble.com/uploads/1/3/0/7/130775429/vuluzuxajagozebovij.pdf
    • https://cdn.shopify.com/s/files/1/0433/7090/5750/files/fafiwajixupu.pdf
    • https://cdn.shopify.com/s/files/1/0432/3724/5086/files/40243227054.pdf
    • https://cdn.shopify.com/s/files/1/0431/4306/9858/files/41751936573.pdf
    • https://cdn.shopify.com/s/files/1/0432/2174/5822/files/22001394957.pdf
    • https://cdn.shopify.com/s/files/1/0440/1335/5166/files/jabemedukabetimatik.pdf
    • https://cdn.shopify.com/s/files/1/0430/3775/3501/files/bmtc_bus_routes_and_numbers.pdf
    • https://cdn.shopify.com/s/files/1/0430/0134/8255/files/xifakusovevawaxuwesexugo.pdf
    • https://cdn.shopify.com/s/files/1/0432/2931/5239/files/vulijipe.pdf
    • https://cdn.shopify.com/s/files/1/0440/8537/9237/files/software_application_developer_information.pdf
    • https://cdn.shopify.com/s/files/1/0431/5381/7749/files/libreoffice_templates_budget.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00006bd4.bin
55d6bb24da0ad4cc17eb2a6692119099eeac96c9f9607a3c42b5ccb634b7a296		 pdf-font-stream PDF embedded font (sfnt) at offset 0x6BD4 5236 bytes
font_01_sfnt_off00007d86.bin
997654ac33c0ecb427c083fe00ff5811c3bb17d1f3796ba8f1038abc501714a3		 pdf-font-stream PDF embedded font (sfnt) at offset 0x7D86 13832 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.