Malicious PDF — malware analysis report

Static analysis result for SHA-256 df4af3b69e1ee743…

MALICIOUS

PDF

51.6 KB Created: 2020-08-13 18:15:53 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 3fe965408ee57839de64d1be69866cb1 SHA-1: a0815979d1e3ebe672cc703940ed7b7ca5c7e808 SHA-256: df4af3b69e1ee743e249d684ff058fa566b383b15c5ccfe26eeceb8e53478e2b
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF contains numerous links, with one critical heuristic identifying a malicious redirector. The document body, though heavily obfuscated, contains a URL that matches the malicious redirector. This suggests the primary attack vector is to lure the user into clicking the link, leading to a malicious site.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.com/wb?keyword=makalah%20budidaya%20kelapa%20sawit%20pdf
    • http://files.markmarinozzi.com/uploads/1/3/2/7/132740665/zasem.pdf
    • http://files.photoartnm.com/uploads/1/3/0/9/130969003/67ee7.pdf
    • http://vikava.esstucco.com/uploads/1/3/1/6/131636725/vejezomiw_nadunegemed_zigovoka.pdf
    • http://xefaveku.earthjoysnacks.com/uploads/1/3/2/6/132680813/betemafunemud.pdf
    • http://files.classicalballetofcalifornia.com/uploads/1/3/1/6/131637362/6392202.pdf
    • https://cdn.shopify.com/s/files/1/0437/1991/7717/files/wedaz.pdf
    • https://cdn.shopify.com/s/files/1/0438/4374/7990/files/68394552009.pdf
    • https://cdn.shopify.com/s/files/1/0430/2936/4885/files/27795836402.pdf
    • https://cdn.shopify.com/s/files/1/0428/0591/9903/files/danizosijakiriwuzakiva.pdf
    • https://cdn.shopify.com/s/files/1/0438/5079/3110/files/zabajerunerepak.pdf
    • https://cdn.shopify.com/s/files/1/0430/7012/8277/files/wezepagak.pdf
    • https://cdn.shopify.com/s/files/1/0433/5350/5946/files/rarogufomimovixiwagepawuz.pdf
    • https://cdn.shopify.com/s/files/1/0435/9222/0840/files/47967274700.pdf
    • https://cdn.shopify.com/s/files/1/0428/6955/5359/files/ferozawilopoxobuwone.pdf
    • https://cdn.shopify.com/s/files/1/0428/9835/8432/files/voriwatovetizejewadodo.pdf
    • https://cdn.shopify.com/s/files/1/0438/2271/0941/files/zafepirogumozule.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00008aba.bin
3c999fa261408cb237113ce5d666447722b96d791e8531d69ad4ade63d877acd		 pdf-font-stream PDF embedded font (sfnt) at offset 0x8ABA 5436 bytes
font_01_sfnt_off00009d4a.bin
6fb438a00b9fd2a486ea2294dc914ba19ed98b93c777db334dff78d3c675d519		 pdf-font-stream PDF embedded font (sfnt) at offset 0x9D4A 10616 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.