Malicious PDF — malware analysis report

Static analysis result for SHA-256 dd920390ba8aa9e1…

MALICIOUS

PDF

46.6 KB Created: 2020-07-31 23:19:10 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 48f3667f97b1b2716a3437583c7ab6da SHA-1: 7a317633ed5bffd9345cd35f4a91f90201f9bee8 SHA-256: dd920390ba8aa9e15012817d021e233d2e91d4e92dd5ef1b38d53becdf79aada
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF file contains a significant number of embedded external links, with one identified as a malicious redirector. The document body is heavily obfuscated but contains the primary malicious URL. This suggests the document's purpose is to lure users to malicious websites, potentially for further exploitation or phishing. No scripts were extracted, and the family is unknown due to the lack of specific indicators.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.com/pify?keyword=defendu+fairbairn+pdf
    • http://files.ctklutherannewtown.org/uploads/1/3/2/7/132712358/6deabc3137c.pdf
    • http://files.rcmun.org/uploads/1/3/1/3/131382395/9419165dfeb5.pdf
    • http://files.downschildrenscentre.com/uploads/1/3/0/8/130874201/f1684.pdf
    • http://files.abnist.com/uploads/1/3/1/8/131856545/jujawereb.pdf
    • https://cdn.shopify.com/s/files/1/0437/8371/7015/files/35131719959.pdf
    • https://cdn.shopify.com/s/files/1/0431/1125/2132/files/49734337158.pdf
    • https://cdn.shopify.com/s/files/1/0435/0256/7588/files/24405501565.pdf
    • https://cdn.shopify.com/s/files/1/0434/4872/9766/files/58645947037.pdf
    • https://cdn.shopify.com/s/files/1/0433/8935/4142/files/gerewiposakujoguripudu.pdf
    • https://cdn.shopify.com/s/files/1/0431/5345/7320/files/tofaxenijutazedinutep.pdf
    • https://cdn.shopify.com/s/files/1/0431/2370/3970/files/xegasalamosifawawi.pdf
    • https://cdn.shopify.com/s/files/1/0431/9795/6256/files/dojubajinovet.pdf
    • https://cdn.shopify.com/s/files/1/0438/2218/6653/files/sukimejawino.pdf
    • https://cdn.shopify.com/s/files/1/0430/8529/9874/files/vajonazuwafufigogexa.pdf
    • https://cdn.shopify.com/s/files/1/0430/4168/5665/files/50189133676.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000787e.bin
51cc351a3c13e8da95a61b66427fb6780ee1d62f3c6fd3b4df3f6d45590620aa		 pdf-font-stream PDF embedded font (sfnt) at offset 0x787E 4964 bytes
font_01_sfnt_off00008974.bin
4736a24e97aec49200d5af077eb692b60dec961c6353ae6ea307b9c87be5667a		 pdf-font-stream PDF embedded font (sfnt) at offset 0x8974 10724 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.