Malicious PDF — malware analysis report

Static analysis result for SHA-256 cfeeedb38aac8eb5…

MALICIOUS

PDF

51.2 KB Created: 2020-08-09 23:03:37 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 3f30caee9d817b9c70f7945dfe9dd75e SHA-1: 0c6b76085c70beaa66a2039a0a1417c4a7711c88 SHA-256: cfeeedb38aac8eb563897de8bf862def19b989029fe62acc29a9c3701ebebc37
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF file contains a link that redirects to a known malicious infrastructure, specifically `https://ttraff.cc/pify?keyword=biblia+interlineal+pdf+gratis`. This indicates a social engineering attempt to trick users into visiting a malicious site, likely for further exploitation or credential harvesting. The document body, though heavily obfuscated, also contains the same malicious URL, reinforcing the lure. The presence of numerous external PDF links, many pointing to potentially compromised or malicious domains, further supports the malicious intent.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.cc/pify?keyword=biblia+interlineal+pdf+gratis
    • http://files.melisandepage.com/uploads/1/3/0/7/130739021/4115966.pdf
    • http://getit.muskegonbibleinstituteinc.com/uploads/1/3/1/4/131437736/3920375.pdf
    • http://files.budapest-scooter-tour.com/uploads/1/3/0/9/130969053/2976785.pdf
    • http://files.revncg.com/uploads/1/3/1/4/131483147/wedavero_pumipafeze_sisuv_firaz.pdf
    • http://files.gabrielschristmas.com/uploads/1/3/1/3/131382030/4466559.pdf
    • https://cdn.shopify.com/s/files/1/0448/3943/6449/files/letter_for_college_admission.pdf
    • https://cdn.shopify.com/s/files/1/0427/9985/7823/files/34946059474.pdf
    • https://cdn.shopify.com/s/files/1/0428/5405/6092/files/saratoga_springs_ny_zip_code.pdf
    • https://cdn.shopify.com/s/files/1/0429/5216/3481/files/modosunetepiwogubujubiv.pdf
    • https://cdn.shopify.com/s/files/1/0431/3668/0102/files/54693017015.pdf
    • https://cdn.shopify.com/s/files/1/0433/0687/7080/files/vejut.pdf
    • https://cdn.shopify.com/s/files/1/0435/2960/1175/files/namapexoxipowobuwo.pdf
    • https://cdn.shopify.com/s/files/1/0436/1850/0765/files/vidibesipi.pdf
    • https://cdn.shopify.com/s/files/1/0438/4777/8469/files/greek_myths_short_stories.pdf
    • https://cdn.shopify.com/s/files/1/0431/9890/6528/files/axel_vervoordt_wabi_inspirations.pdf
    • https://cdn.shopify.com/s/files/1/0431/6345/1560/files/gasakudusov.pdf
    • https://cdn.shopify.com/s/files/1/0428/9835/8432/files/51994241049.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 6

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000541a.bin
f1585241b59a1002e627af24859d8bddc2a41f5101ead6a7a290360bc82d6b36		 pdf-font-stream PDF embedded font (sfnt) at offset 0x541A 2912 bytes
font_01_sfnt_off00005e7f.bin
c9e9b5fd092b037d9637e5b92f5a077a1950ab1cb7eba1d1f1797e0a1b780064		 pdf-font-stream PDF embedded font (sfnt) at offset 0x5E7F 5076 bytes
font_02_sfnt_off00006fb4.bin
7c849c819def30a085bff786074276235b33ec1bacd319f6d7fef517f6acebbf		 pdf-font-stream PDF embedded font (sfnt) at offset 0x6FB4 1796 bytes
font_03_sfnt_off000078a6.bin
545ad1dbe53d4f9ec56baeba229f16bd370342e9d1a07f9c74fc0edefc9a416a		 pdf-font-stream PDF embedded font (sfnt) at offset 0x78A6 10124 bytes
font_04_sfnt_off00009b5a.bin
8495dff0895936632a550c385781be6cc7fcd2ad0fc4c9557ca640f60c0837b1		 pdf-font-stream PDF embedded font (sfnt) at offset 0x9B5A 16196 bytes
font_05_sfnt_off0000b09c.bin
1062cd8ddf90f4344fa193b395386d5669df1a952e5759311ca261a71931f361		 pdf-font-stream PDF embedded font (sfnt) at offset 0xB09C 4324 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.