Malicious PDF — malware analysis report

Static analysis result for SHA-256 d5ec67c4f24b9c5c…

MALICIOUS

PDF

39.3 KB Created: 2020-09-18 13:37:44 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 7d28cc026f862a38d91e2ecdabbec34f SHA-1: 350ec4870333584bdd0bec8a44b94b6072e5d079 SHA-256: d5ec67c4f24b9c5c49f8a3bb506da1609ada0d5fac5b1c594c9a23255f053217
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF file contains a link that redirects to a known malicious domain, identified by the PDF_MALICIOUS_REDIRECTOR_LINK heuristic. The document body, though partially corrupted, suggests a lure related to payment responsibility. The PDF also contains a large number of embedded links, many of which point to Shopify domains, as indicated by the PDF_SEO_LINK_FARM heuristic. No scripts were extracted from this sample.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.me/wix?keyword=letter+of+responsibility+for+payment
    • http://files.lwmphotography.co.uk/uploads/1/3/1/4/131410685/kukitifizija.pdf
    • http://files.geoffgoodsonhorsemanship.com/uploads/1/3/1/6/131607010/fd34d85184.pdf
    • https://cdn.shopify.com/s/files/1/0434/7848/3096/files/ieema_annual_report_2018.pdf
    • https://cdn.shopify.com/s/files/1/0431/5516/1252/files/xerorigetedewega.pdf
    • https://cdn.shopify.com/s/files/1/0461/0624/7332/files/google_sheet_templates_for_customers.pdf
    • https://cdn.shopify.com/s/files/1/0433/3145/3081/files/wavazuvolozed.pdf
    • https://19537297-f1b6-437f-ab06-8e140fda2fa3.filesusr.com/ugd/43d598_b26466e80df849a49901b6278ab5c16a.pdf?index=true
    • https://9f7b6a81-ac77-4f22-b935-2169807c1509.filesusr.com/ugd/238140_e0b371e6b59d4cef8bd904876e8fb2b9.pdf?index=true
    • https://b339a926-ee4b-42a8-818f-bc56257855f7.filesusr.com/ugd/2072cd_de1b6f5e4e8b48ea83779d0d43a1aee5.pdf?index=true
    • https://cdn.shopify.com/s/files/1/0435/8556/8925/files/semi_automatic_transmission.pdf
    • https://cdn.shopify.com/s/files/1/0436/4831/9638/files/hemolytic_anemia_classification.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00005c12.bin
4d58da05af4e212b839890fbb2fdecd1c4e0e015650a6dd0b963685d78efb554		 pdf-font-stream PDF embedded font (sfnt) at offset 0x5C12 5228 bytes
font_01_sfnt_off00006dd3.bin
a63c4d270537984e0d88688e850f3a796494e632b49387fdde0e32cf130586ec		 pdf-font-stream PDF embedded font (sfnt) at offset 0x6DD3 10240 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.