Malicious PDF — malware analysis report

Static analysis result for SHA-256 e897b4222cb72495…

MALICIOUS

PDF

40.6 KB Created: 2020-08-20 12:41:39 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 8f18621b9c55ae14985e9381fab08289 SHA-1: bb1be041defd62fc0a914648e90423cca1372da9 SHA-256: e897b4222cb72495335d73b8491a2b578374117c3bf793d815f523dea945f7f9
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF contains a large number of embedded links, many of which point to external sites. One critical heuristic identified a malicious redirector link, suggesting an attempt to lead the user to a harmful destination. The document body, though partially corrupted, contains text related to a calendar template and the malicious URL, reinforcing the lure. No scripts were extracted from this sample.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.cc/pify?keyword=year+at+a+glance+calendar+template+word
    • http://guxaxoja.timothyweatherall.com/uploads/1/3/1/3/131398140/lugazegifuzug.pdf
    • http://kadixazo.texaslymealliance.net/uploads/1/3/2/3/132302921/tosevejomabomix-lirosake-naparimoki-gajaxejaj.pdf
    • http://tozixal.samchapmanpainting.com/uploads/1/3/0/7/130739377/b8f9c93a5fbab8.pdf
    • https://cdn.shopify.com/s/files/1/0430/6137/9226/files/63949982229.pdf
    • https://cdn.shopify.com/s/files/1/0433/5026/1915/files/git_remove_from_staging.pdf
    • https://cdn.shopify.com/s/files/1/0433/6451/6005/files/powevisuwebof.pdf
    • https://cdn.shopify.com/s/files/1/0434/2182/7222/files/voluntary_acknowledgement_of_paternity_form_arizona.pdf
    • https://cdn.shopify.com/s/files/1/0429/8198/2361/files/92848493335.pdf
    • https://cdn.shopify.com/s/files/1/0432/3583/6063/files/curious_case_of_benjamin_button_script.pdf
    • https://cdn.shopify.com/s/files/1/0428/9835/8432/files/58014629257.pdf
    • https://cdn.shopify.com/s/files/1/0428/2001/0140/files/hitman_contracts_walkthru.pdf
    • https://cdn.shopify.com/s/files/1/0431/7157/8024/files/xibibumusowajumasan.pdf
    • https://cdn.shopify.com/s/files/1/0438/3899/6642/files/gujenigubafokaj.pdf
    • https://cdn.shopify.com/s/files/1/0436/0005/2387/files/9086663160.pdf
    • https://cdn.shopify.com/s/files/1/0434/1566/6840/files/90070861554.pdf
    • https://cdn.shopify.com/s/files/1/0451/6829/6090/files/a_level_maths_notes_download.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000060be.bin
be83f10c4747bbe0500cb3395fd7d1bc24d58db890a87eca2564ad10ed85b219		 pdf-font-stream PDF embedded font (sfnt) at offset 0x60BE 5268 bytes
font_01_sfnt_off0000729b.bin
d329f6905a4d635fbb0762b5e9845817e973e992a5998dd23ffe9bb16c9d7679		 pdf-font-stream PDF embedded font (sfnt) at offset 0x729B 10172 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.