Malicious PDF — malware analysis report

Static analysis result for SHA-256 d94dcdb6e9cf4113…

MALICIOUS

PDF

45.8 KB Created: 2020-08-11 01:57:34 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: ae3a67848322613a5f31a9fd378e7534 SHA-1: a37bf7536a9893eb437b3ba7b30783d3d150bccf SHA-256: d94dcdb6e9cf4113081fc90d45cfb0b8aabb298364197d9fd2d654690ef5e7bd
128 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF file contains a large number of embedded links, many of which point to Shopify domains, but one critical link redirects to a known malicious redirector. The document body, though heavily obfuscated, contains the URL that triggers the malicious redirect. This suggests a phishing or scam attempt where the user is lured by the promise of a tutorial to a malicious site.

Heuristics 4

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTON
    Document contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.ru/pify?keyword=avr+asm+tutorial+pdf
    • http://files.rhbconstructorainmobiliariasrl.com/uploads/1/3/0/9/130968958/jimitefagidedefegaso.pdf
    • http://files.dianeperell.com/uploads/1/3/0/7/130738596/7381900.pdf
    • http://files.eacpoultry.com/uploads/1/3/0/7/130775108/refugunuzig-gogodesujizunu.pdf
    • http://files.tarringtonswimteam.org/uploads/1/3/0/9/130969937/7332977.pdf
    • http://files.ollrichva.org/uploads/1/3/1/8/131856200/8575011.pdf
    • https://cdn.shopify.com/s/files/1/0439/7914/5374/files/discord_profile_search.pdf
    • https://cdn.shopify.com/s/files/1/0432/9809/5272/files/mopevumulepowitizubixubu.pdf
    • https://cdn.shopify.com/s/files/1/0434/5433/3093/files/fobubugafikore.pdf
    • https://cdn.shopify.com/s/files/1/0433/6903/7974/files/85554843030.pdf
    • https://cdn.shopify.com/s/files/1/0433/0687/7080/files/11383010616.pdf
    • https://cdn.shopify.com/s/files/1/0433/7650/9080/files/fonorixova.pdf
    • https://cdn.shopify.com/s/files/1/0430/7091/4717/files/26125028729.pdf
    • https://cdn.shopify.com/s/files/1/0433/9692/3555/files/37641261960.pdf
    • https://cdn.shopify.com/s/files/1/0433/0687/7080/files/29480145432.pdf
    • https://cdn.shopify.com/s/files/1/0431/1184/1949/files/43075943192.pdf
    • https://cdn.shopify.com/s/files/1/0432/9452/3552/files/animorphs_book_1.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00007434.bin
e143521625ac102df04acdb97647e0835f6f0b4ccf8d095e482676bc50e24099		 pdf-font-stream PDF embedded font (sfnt) at offset 0x7434 5236 bytes
font_01_sfnt_off000085f5.bin
fd2eaf1c4ffbfbc4662b86fa869f9e2d4e92eea8ffd25bf7ac51d54bfc9bb9a5		 pdf-font-stream PDF embedded font (sfnt) at offset 0x85F5 10560 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.