Malicious PDF — malware analysis report

Static analysis result for SHA-256 d8ca4b2838c44e89…

MALICIOUS

PDF

57.3 KB Created: 2020-08-09 10:33:54 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 9067e84ac3bb8c7826e1763ae3bb3ddd SHA-1: dc79ac5c41e8925fd0d31a357684c43aaa49b60b SHA-256: d8ca4b2838c44e895c29306747a708af0c77b434c4589d8725fdb707007267b0
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell T1204.002 Malicious Link

The PDF file contains a prominent link that redirects to a malicious URL, disguised as a free download for a script. This indicates a social engineering attack aimed at tricking users into visiting a potentially harmful site. The PDF also exhibits characteristics of a link farm, suggesting an attempt to distribute malicious content or engage in SEO manipulation for malicious purposes. The primary malicious IOC is the redirector URL.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.com/pify?keyword=bengali+comedy+drama+script+pdf+free+download
    • http://files.kamtectools.com/uploads/1/3/2/6/132683070/6998208.pdf
    • http://devit.milesindustriesnz.com/uploads/1/3/1/4/131453574/fujatedo_setikudenikem.pdf
    • http://lamipemi.trinibnb.com/uploads/1/3/1/0/131070420/dowofezizekusizad.pdf
    • https://cdn.shopify.com/s/files/1/0433/1077/6484/files/67712053650.pdf
    • https://cdn.shopify.com/s/files/1/0430/9227/9460/files/cateter_venoso_periferico_calibres.pdf
    • https://cdn.shopify.com/s/files/1/0434/5197/3799/files/beauty_and_the_beast_piano.pdf
    • https://cdn.shopify.com/s/files/1/0430/3680/3233/files/jiteriguvapebitetarozeduj.pdf
    • https://cdn.shopify.com/s/files/1/0435/5555/3432/files/94089728490.pdf
    • https://cdn.shopify.com/s/files/1/0440/1987/5998/files/employee_learning_and_development.pdf
    • https://cdn.shopify.com/s/files/1/0431/9114/0512/files/java_matrix_class.pdf
    • https://cdn.shopify.com/s/files/1/0428/6241/1935/files/jerinelemebuv.pdf
    • https://cdn.shopify.com/s/files/1/0437/8089/8973/files/39945566138.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00008a3d.bin
20bd7fd0cb3f3a6f2a0b4aae209dd1877c80f87c77084f2068c85299412ca464		 pdf-font-stream PDF embedded font (sfnt) at offset 0x8A3D 5720 bytes
font_01_sfnt_off00009db6.bin
1af088d18070d5a2f09e2c97fa08f9e9c27a683a5ea02edb8ae12f532208e91a		 pdf-font-stream PDF embedded font (sfnt) at offset 0x9DB6 10688 bytes
font_02_sfnt_off0000c289.bin
43dd7310e986e37c0562d6efd2a67b6291a0d41fa892ecd43b306c3e7231f7b7		 pdf-font-stream PDF embedded font (sfnt) at offset 0xC289 16148 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.