Malicious PDF — malware analysis report

Static analysis result for SHA-256 d55586bd1bf15422…

MALICIOUS

PDF

45.8 KB Created: 2020-08-11 21:35:09 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 799cbef88089f87464c20dcc2066738a SHA-1: ca1e6007b8d8392b633357ffaff26742c3d4c7d8 SHA-256: d55586bd1bf154229679b5c3eed6abe7526e93774bdb84b0eef11b254149b0c4
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF file contains a critical heuristic indicating it's a malicious redirector link, pointing to a URL that appears to be a lure for interview questions. This link redirects to a malicious domain, likely to host further malicious content or phishing pages. The document body, though heavily obfuscated, contains the same URL, reinforcing the malicious intent. The presence of numerous embedded links, many pointing to Shopify domains, suggests a link farm or SEO poisoning technique to distribute the malicious redirect.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.com/pify?keyword=senior+desktop+support+engineer+interview+questions+and+answers+pdf
    • http://files.ctisports.com/uploads/1/3/1/6/131606392/lavutarideguwo.pdf
    • http://files.shoppapillonboutique.com/uploads/1/3/0/8/130813953/papewamafewa_noxaninekipav.pdf
    • http://files.prayingoutloudfoundation.com/uploads/1/3/0/8/130813931/dufazalibesodiv.pdf
    • http://files.one21i.com/uploads/1/3/1/4/131482832/kekijoloforese-mivodinebebu.pdf
    • http://files.fycdepaper.com/uploads/1/3/1/4/131406391/0e835b0a.pdf
    • https://cdn.shopify.com/s/files/1/0433/0687/7080/files/87745409623.pdf
    • https://cdn.shopify.com/s/files/1/0428/4999/2870/files/tudese.pdf
    • https://cdn.shopify.com/s/files/1/0435/3500/7893/files/vunemejenajafo.pdf
    • https://cdn.shopify.com/s/files/1/0437/1503/5291/files/zinijusemuwabunew.pdf
    • https://cdn.shopify.com/s/files/1/0431/3274/7927/files/10344933250.pdf
    • https://cdn.shopify.com/s/files/1/0428/4026/0775/files/nasojipef.pdf
    • https://cdn.shopify.com/s/files/1/0430/9522/8565/files/fujofigixezalus.pdf
    • https://cdn.shopify.com/s/files/1/0433/1126/7990/files/zapirosudapusu.pdf
    • https://cdn.shopify.com/s/files/1/0434/6983/2354/files/orquideas_de_costa_rica.pdf
    • https://cdn.shopify.com/s/files/1/0430/0832/7829/files/government_grants_act.pdf
    • https://cdn.shopify.com/s/files/1/0429/0543/6326/files/24153342109.pdf
    • https://cdn.shopify.com/s/files/1/0432/3429/5966/files/tax_audit_report_new_format.pdf
    • https://cdn.shopify.com/s/files/1/0436/1030/8765/files/59281449687.pdf
    • https://cdn.shopify.com/s/files/1/0434/1478/2104/files/fevupen.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • https://cdn.shopify.com/s/files/1/0436/1030/8765/files/59281449687.pd

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000066b6.bin
f938260b325f61bab26b557ff56b2774e4d33b9b0653ac91091834c6b0f7fe2f		 pdf-font-stream PDF embedded font (sfnt) at offset 0x66B6 5504 bytes
font_01_sfnt_off0000797f.bin
07d77391409c0f18f08fe8fc29a297081ba9e02e00502c4bc2eb286127efbf35		 pdf-font-stream PDF embedded font (sfnt) at offset 0x797F 9908 bytes
font_02_sfnt_off00009b6c.bin
a542ec26cea93e049a2e27cd59b1347dd9bbdea13775fd7b822b3c2b3136116f		 pdf-font-stream PDF embedded font (sfnt) at offset 0x9B6C 4324 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.