Malicious PDF — malware analysis report

Static analysis result for SHA-256 e8cf26035a6598d2…

MALICIOUS

PDF

44.3 KB Created: 2020-08-09 09:14:53 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 2ea3992dd9c6a3f01dfba92f25033b2c SHA-1: f2e7dea56a077e7b1b69ba8729dfeadf15a165af SHA-256: e8cf26035a6598d2be9da1b331b68cc95d738b92c3fff8bdd62b59bb15a23de2
162 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious File T1059.003 Windows Command Shell

The PDF file contains a significant number of embedded URLs, many of which are linked to a link farm strategy, with one URL identified as a malicious redirector. The presence of a 'LOLBin run command' heuristic suggests that the document may also contain instructions for executing commands on the system. The document body contains text related to 'Aparatos de ortodoncia infantil pdf' and references wkhtmltopdf, indicating a potential lure or disguise for malicious activity.

Heuristics 4

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Visible LOLBin command execution instruction high SE_LOLBIN_RUN_COMMAND
    Document contains instructions or visible command text involving Windows script/execution tools such as PowerShell, mshta, cmd, rundll32, or regsvr32
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.ru/pify?keyword=aparatos+de+ortodoncia+infantil+pdf
    • http://files.wildandfreewellness.org/uploads/1/3/1/4/131453256/dawuvazosaxuvesu.pdf
    • http://files.womencliniccentre.com/uploads/1/3/0/8/130813696/bijovigisezuramazo.pdf
    • http://fazoke.everettdefense.com/uploads/1/3/0/9/130969060/wesulorujigevijilafu.pdf
    • http://files.dmdesignsoc.com/uploads/1/3/2/6/132681884/lenubinevumevolizib.pdf
    • https://cdn.shopify.com/s/files/1/0430/9575/2864/files/cmd_serial_number.pdf
    • https://cdn.shopify.com/s/files/1/0430/9050/9977/files/69215169139.pdf
    • https://cdn.shopify.com/s/files/1/0431/6990/6844/files/wozatoxakuluvuzuvew.pdf
    • https://cdn.shopify.com/s/files/1/0429/6117/4687/files/gitofoxapenupalesitakoz.pdf
    • https://cdn.shopify.com/s/files/1/0431/6338/6017/files/sean_paul_temperature_lyrics.pdf
    • https://cdn.shopify.com/s/files/1/0429/9315/6259/files/xamumiforoxok.pdf
    • https://cdn.shopify.com/s/files/1/0432/2515/3698/files/37956614263.pdf
    • https://cdn.shopify.com/s/files/1/0433/0687/7080/files/vabagibad.pdf
    • https://cdn.shopify.com/s/files/1/0434/6704/7077/files/marezunogujuwunawuz.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00006da0.bin
d2ab4c5beb519bd313383ed8d39e785d64aab47f867cfcc2a7bb475cc2125e34		 pdf-font-stream PDF embedded font (sfnt) at offset 0x6DA0 5140 bytes
font_01_sfnt_off00007f2a.bin
9ccf1b954ec931decc704c8bd614b5aca058161a761c935494ca77ab659d9206		 pdf-font-stream PDF embedded font (sfnt) at offset 0x7F2A 10948 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.