Malicious PDF — malware analysis report

Static analysis result for SHA-256 d53fbfeb25cc48d3…

MALICIOUS

PDF

47.3 KB Created: 2020-08-12 06:46:42 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: de7af1727df607db3a08c29ff9f7d39d SHA-1: 5d270ba857e45a3869036482f3787873d33845c9 SHA-256: d53fbfeb25cc48d3a9fbb45ed9dc6babef559347012addb185649d174fc6d399
160 Risk Score

Malware Insights

MITRE ATT&CK
T1059.003 Windows Command Shell T1204.002 Malicious Link

The PDF contains a critical heuristic firing for a malicious redirector link, pointing to 'https://ttraff.cc/pify?keyword=mapa+amsterdam+pdf+gratis'. Additionally, a 'SE_CLIPBOARD_COMMAND_LURE' heuristic indicates the document instructs users to copy and paste content into a shell, a common technique for downloading and executing further malicious payloads. The presence of numerous external PDF links, many hosted on Shopify, suggests a link farm used for SEO poisoning or distributing malicious content.

Heuristics 4

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Clipboard command execution lure high SE_CLIPBOARD_COMMAND_LURE
    Document tells the user to copy or paste clipboard content into Run, PowerShell, cmd, or another shell-like execution context
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.cc/pify?keyword=mapa+amsterdam+pdf+gratis
    • http://files.newbeginningpentecostchurch.com/uploads/1/3/0/7/130776403/dipapaxulu_bamebumeda_vepexegaget.pdf
    • http://files.saintjeromeschama.com/uploads/1/3/1/1/131164125/xetinima-nexibikosegu-lomagoj.pdf
    • http://miwon.washingtonsimmental.com/uploads/1/3/0/7/130776757/2582201.pdf
    • https://cdn.shopify.com/s/files/1/0435/7206/8520/files/75479763085.pdf
    • https://cdn.shopify.com/s/files/1/0431/2956/9429/files/fogam.pdf
    • https://cdn.shopify.com/s/files/1/0433/0822/0574/files/99537083599.pdf
    • https://cdn.shopify.com/s/files/1/0430/3729/4754/files/ferelebagesi.pdf
    • https://cdn.shopify.com/s/files/1/0438/7205/9547/files/31259588611.pdf
    • https://cdn.shopify.com/s/files/1/0434/1733/8005/files/calendario_escolar_sep_2020_19_185_dias.pdf
    • https://cdn.shopify.com/s/files/1/0432/4897/6027/files/bizhub_c227_brochure.pdf
    • https://cdn.shopify.com/s/files/1/0431/4942/6839/files/nipabifut.pdf
    • https://cdn.shopify.com/s/files/1/0433/5799/5160/files/kiviw.pdf
    • https://cdn.shopify.com/s/files/1/0431/5270/3645/files/urine_microscopic_examination_images.pdf
    • https://cdn.shopify.com/s/files/1/0439/5194/7931/files/31649964413.pdf
    • https://cdn.shopify.com/s/files/1/0429/7146/3831/files/49964929161.pdf
    • https://cdn.shopify.com/s/files/1/0431/2032/8853/files/qimila_net_youtube.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 4

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000064cf.bin
62e4be90eb2310e29baede82f1c002f3dbb392c8855d5428c3f84d0b7136be3d		 pdf-font-stream PDF embedded font (sfnt) at offset 0x64CF 4908 bytes
font_01_sfnt_off00007577.bin
a36eee06fef6ce219692c4ec918276ac99413e4fd1e3666e4031624f9289d620		 pdf-font-stream PDF embedded font (sfnt) at offset 0x7577 1800 bytes
font_02_sfnt_off00007e04.bin
2614f8a2ec1f19b4a3c856ea21a35202df36d77e0530f13cf0a948b6e47ad6e6		 pdf-font-stream PDF embedded font (sfnt) at offset 0x7E04 10400 bytes
font_03_sfnt_off0000a190.bin
4fcfa7c68d76e23b667942a3ac892d2d5d88346478daafc61479ad4df4af3dd3		 pdf-font-stream PDF embedded font (sfnt) at offset 0xA190 4324 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.