Malicious PDF — malware analysis report

Static analysis result for SHA-256 dd65e5d0ec0e5651…

MALICIOUS

PDF

39.6 KB Created: 2020-08-19 01:20:33 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: dcd2961d65bc4ed364d6abb4c4ad720c SHA-1: a9487c45aef9820be3d847a2ed1d45952d901e27 SHA-256: dd65e5d0ec0e5651f452a205e85607f11fe9d6a6af14de0770b1d53927e1a70e
208 Risk Score

Malware Insights

MITRE ATT&CK
T1204.002 Malicious Link T1566.002 Spearphishing Attachment T1027 Obfuscated Files or Information

The PDF contains multiple embedded URLs, with one pointing to a known malicious redirector. It also includes a link farm of other PDFs hosted on Shopify, suggesting an attempt to manipulate search engine results or distribute content broadly. The document explicitly instructs the user to disable security software and provides a password for an archive, indicating a multi-stage attack designed to bypass security controls and deliver a payload. The presence of a download button lure further supports this malicious intent.

Heuristics 6

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Security software disable instruction high SE_SECURITY_BYPASS
    Document instructs the user to disable antivirus or security software — unusual for ordinary documents and high-risk in an unsolicited file
  • Password-protected archive handoff high SE_PASSWORD_ARCHIVE_LURE
    Document gives password instructions for an archive or attachment — often used to keep payloads encrypted until after gateway scanning
  • Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTON
    Document contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.ru/pify?keyword=kmspico+v4+for+office+2013
    • http://files.victory-ball.com/uploads/1/3/2/7/132740814/towupeduxapexe.pdf
    • http://files.constructionindustryhelpline.com/uploads/1/3/1/1/131164558/9892547.pdf
    • https://cdn.shopify.com/s/files/1/0437/8905/8206/files/xezoxesodejisagabez.pdf
    • https://cdn.shopify.com/s/files/1/0430/3477/1610/files/zitemabimerikuloduxo.pdf
    • https://cdn.shopify.com/s/files/1/0433/7975/3109/files/54271457055.pdf
    • https://cdn.shopify.com/s/files/1/0430/4044/0471/files/47779498521.pdf
    • https://cdn.shopify.com/s/files/1/0430/7792/7072/files/4767567769.pdf
    • https://cdn.shopify.com/s/files/1/0429/9853/0202/files/astellas_logo.pdf
    • https://cdn.shopify.com/s/files/1/0437/2060/5848/files/vosafidosiwel.pdf
    • https://cdn.shopify.com/s/files/1/0438/8762/4344/files/faxepaxonarib.pdf
    • https://cdn.shopify.com/s/files/1/0431/8091/6893/files/caresse_sur_l_ocean_piano_sheet_music.pdf
    • https://cdn.shopify.com/s/files/1/0433/0687/7080/files/94393320092.pdf
    • https://cdn.shopify.com/s/files/1/0430/7222/5442/files/40387493641.pdf
    • https://cdn.shopify.com/s/files/1/0432/6309/9040/files/78106129067.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00005ac7.bin
38e0266810021f470178620ef55770d95523dffbb4c613daf619fb0d0adb135b		 pdf-font-stream PDF embedded font (sfnt) at offset 0x5AC7 5528 bytes
font_01_sfnt_off00006d97.bin
0c6998390ec28d42c2bd31e674f71e2ef0a31a8df938a35e9f84d0e7ad922150		 pdf-font-stream PDF embedded font (sfnt) at offset 0x6D97 10628 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.