Malicious PDF — malware analysis report

Static analysis result for SHA-256 e66200764fa73b2f…

MALICIOUS

PDF

47.8 KB Created: 2020-08-24 10:46:28 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 6797efd62a72beb72d44bf605ef12cd6 SHA-1: 75cf772b182d0f7267a7dd594309bc04458f3490 SHA-256: e66200764fa73b2f673d4d3e6744ad41615863fc66c89e58268c69cae713dbf5
128 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell T1204.002 Malicious Link

The PDF file contains embedded links that are part of a link farm, with one specific URL identified as a malicious redirector. The document body, though partially corrupted, contains text suggesting it is a 'job cost sheet excel template', which is a common lure for phishing or malware delivery. The heuristic 'PDF_MALICIOUS_REDIRECTOR_LINK' confirms the redirection to malicious infrastructure, and 'PDF_SEO_LINK_FARM' indicates a large number of outbound links, likely for SEO manipulation or to distribute malware. The presence of multiple Shopify URLs, some confirmed benign, suggests an attempt to blend malicious links with legitimate ones.

Heuristics 4

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Fake invoice / payment lure low SE_INVOICE_LURE
    Document contains invoice or payment language paired with an action verb — useful context when combined with link, macro, or attachment indicators
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.ru/pify?keyword=job+cost+sheet+excel+template
    • http://files.empyreanwinds.com/uploads/1/3/2/6/132681026/c48331d73.pdf
    • http://files.americanresistancesevilla.com/uploads/1/3/2/6/132681769/1627700.pdf
    • http://files.gracelaurent.com/uploads/1/3/1/8/131872070/3967525.pdf
    • http://wevino.animachristiretreats.org/uploads/1/3/0/7/130776008/4424f.pdf
    • http://files.maximevaporator.com/uploads/1/3/1/0/131070918/8872208.pdf
    • https://cdn.shopify.com/s/files/1/0430/7661/6346/files/zuxagi.pdf
    • https://cdn.shopify.com/s/files/1/0428/0709/9558/files/sadagekukupizivokaz.pdf
    • https://cdn.shopify.com/s/files/1/0430/8815/0690/files/non_chronological_report_writing_year_2.pdf
    • https://cdn.shopify.com/s/files/1/0434/3096/9511/files/33987505854.pdf
    • https://cdn.shopify.com/s/files/1/0432/8642/9861/files/70272891467.pdf
    • https://cdn.shopify.com/s/files/1/0430/5226/9717/files/65582054210.pdf
    • https://cdn.shopify.com/s/files/1/0433/4272/5275/files/mythology_stories.pdf
    • https://cdn.shopify.com/s/files/1/0428/7420/8415/files/21830882212.pdf
    • https://cdn.shopify.com/s/files/1/0430/8385/8080/files/denajakigu.pdf
    • https://cdn.shopify.com/s/files/1/0433/7011/9318/files/bob_s_steak_and_chop_house_menu.pdf
    • https://cdn.shopify.com/s/files/1/0433/0687/7080/files/76106621034.pdf
    • https://cdn.shopify.com/s/files/1/0430/7379/8306/files/ice_candy_man_novel_download.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000070d5.bin
8783b51389afd56b10cae97a5ca851fc79ee06fbb4484729d9b71819e5664837		 pdf-font-stream PDF embedded font (sfnt) at offset 0x70D5 4908 bytes
font_01_sfnt_off0000817b.bin
ae49e33e5abe44bfc1257ac36f4d09d0edceac1d5265bad5317e5a30b851dae3		 pdf-font-stream PDF embedded font (sfnt) at offset 0x817B 10192 bytes
font_02_sfnt_off0000a461.bin
ff5f0ef16caf3e97cd1984b3a03ea88e11eab8cf63d2ee006085a4b9995833f3		 pdf-font-stream PDF embedded font (sfnt) at offset 0xA461 4324 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.