Malicious PDF — malware analysis report

Static analysis result for SHA-256 d9e1906cd657c02c…

MALICIOUS

PDF

53.0 KB Created: 2020-08-23 11:04:59 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 4f672dd33ddbbb9cf5177001ef6b6065 SHA-1: 2c113d240c281157572be35054e2663cd80ec2ea SHA-256: d9e1906cd657c02c9f8b8f40664a19e645b9ea959afd59d58595aa30b2732810
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF file contains a significant number of embedded URLs, with a critical heuristic firing for a malicious redirector link. Another critical heuristic indicates a PDF link farm, suggesting an attempt to manipulate search engine results or distribute malicious content. The presence of a malicious redirector URL and numerous external links points towards a campaign leveraging SEO manipulation or deceptive content delivery.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.ru/pify?keyword=asma+gina+2018+pdf+espa%25C3%25B1ol
    • http://favuvajan.lovedxluna.com/uploads/1/3/1/6/131636725/4858043.pdf
    • http://files.rauwhiro.com/uploads/1/3/1/1/131163841/9c93101a8.pdf
    • https://cdn.shopify.com/s/files/1/0428/9835/8432/files/titigabibuzumazavuxi.pdf
    • https://cdn.shopify.com/s/files/1/0428/8518/5702/files/bugipomotosotumem.pdf
    • https://cdn.shopify.com/s/files/1/0450/1949/6606/files/coachmen_rv_service_manual.pdf
    • https://cdn.shopify.com/s/files/1/0435/6666/1791/files/36855272122.pdf
    • https://cdn.shopify.com/s/files/1/0430/5177/8202/files/6718768405.pdf
    • https://cdn.shopify.com/s/files/1/0439/1544/4379/files/toefl_test_preparation_guide.pdf
    • https://cdn.shopify.com/s/files/1/0431/1829/7245/files/26940039676.pdf
    • https://cdn.shopify.com/s/files/1/0433/6680/9765/files/etymology_dictionary_free_download.pdf
    • https://cdn.shopify.com/s/files/1/0438/8772/2648/files/john_deere_440.pdf
    • https://cdn.shopify.com/s/files/1/0459/3126/6215/files/21448847237.pdf
    • https://cdn.shopify.com/s/files/1/0429/4469/2383/files/advanced_accounting_joint_venture.pdf
    • https://cdn.shopify.com/s/files/1/0433/9279/4774/files/68818845941.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00008ecc.bin
8ffa5c6cec7da915b0815e05ccdb8b83f0e8039135ca005d498f045891f33347		 pdf-font-stream PDF embedded font (sfnt) at offset 0x8ECC 5984 bytes
font_01_sfnt_off0000a2da.bin
c04866ddb18b05517de1e45148ca5495945fbbf0eb4a48b91e8d5a96b36d1cb2		 pdf-font-stream PDF embedded font (sfnt) at offset 0xA2DA 10260 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.