Malicious PDF — malware analysis report

Static analysis result for SHA-256 d413d1e3e26ef7c5…

MALICIOUS

PDF

44.2 KB Created: 2020-08-01 11:38:04 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: f2df66f4edb135f8a5e64f3fa9ff7209 SHA-1: 3974a572bd1a4b938b761ce364e98bd3ad547303 SHA-256: d413d1e3e26ef7c553052c19a9690ed5debbaf76687fb48ddce356d67be0bd57
130 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF contains a malicious redirector link disguised as a Comcast upgrade URL, aiming to trick users into clicking it. The document body, though heavily obfuscated, contains the target URL and references to Comcast, reinforcing the phishing lure. The presence of a link farm suggests an attempt to manipulate search engine results or distribute malicious content broadly. No scripts were extracted from this sample.

Heuristics 4

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Urgency / deadline lure low SE_URGENCY_LURE
    Document contains urgency or deadline language ('account will be terminated', 'action required within 24 hours', etc.) — useful context, but low-signal without other findings
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.cc/pify?keyword=comcast.+com%252F+deviceupgrade
    • http://files.azeyemds.org/uploads/1/3/1/4/131437380/389fc93738.pdf
    • http://files.george.work/uploads/1/3/1/8/131871621/5840953.pdf
    • http://files.osuswing.com/uploads/1/3/1/4/131453944/1095223.pdf
    • https://cdn.shopify.com/s/files/1/0438/0455/7472/files/94393379733.pdf
    • https://cdn.shopify.com/s/files/1/0433/3237/0584/files/74616716177.pdf
    • https://cdn.shopify.com/s/files/1/0427/8861/8396/files/33549120452.pdf
    • https://cdn.shopify.com/s/files/1/0434/5397/2630/files/50283609264.pdf
    • https://cdn.shopify.com/s/files/1/0430/7353/6149/files/49764773484.pdf
    • https://cdn.shopify.com/s/files/1/0428/9835/8432/files/luzugojozawok.pdf
    • https://cdn.shopify.com/s/files/1/0431/1800/2340/files/begamifetugojurijoxab.pdf
    • https://cdn.shopify.com/s/files/1/0435/1413/4692/files/gubedim.pdf
    • https://cdn.shopify.com/s/files/1/0431/3127/3383/files/10_day_forecast_orlando.pdf
    • https://cdn.shopify.com/s/files/1/0433/0687/7080/files/60801944673.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00006d4f.bin
fc9946827c4fde89c46e40487e0ccb4932bd2b07ab24f2b712d6a6c870ff88b7		 pdf-font-stream PDF embedded font (sfnt) at offset 0x6D4F 5396 bytes
font_01_sfnt_off00007fa4.bin
4500a8759a688839c7c788dd298d959667084bf1e4b13c5f38518c1542698add		 pdf-font-stream PDF embedded font (sfnt) at offset 0x7FA4 10892 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.