Malicious PDF — malware analysis report

Static analysis result for SHA-256 e948d6f80d981f7a…

MALICIOUS

PDF

43.8 KB Created: 2020-08-03 23:15:51 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 3f008fa68c79490f4af6ad2c9e8777fa SHA-1: 42ab3c24186486fcf5f10cc91d457e17c623dbd6 SHA-256: e948d6f80d981f7a5d776bc544fc8e30a6e55c566ea7d191438874833a97afdb
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF file contains a mass of external links, including a critical link to a known malicious redirector at https://ttraff.cc/pify. The document body text, though heavily obfuscated, contains the same URL and a search query related to base64 to PDF conversion, suggesting a lure to a malicious site. The file is likely part of a link farm or SEO poisoning campaign to drive traffic to malicious infrastructure.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.cc/pify?keyword=convert+base64+to+pdf+python
    • http://files.3hwarchitecture.com/uploads/1/3/1/6/131606123/goxes.pdf
    • http://files.deitzlandsurveying.com/uploads/1/3/1/4/131438453/wagotu.pdf
    • http://jubid.jennifersnowden.net/uploads/1/3/2/6/132682883/gojedazilibum.pdf
    • http://files.dianabradfordart.com/uploads/1/3/1/4/131483069/2002958.pdf
    • http://files.tuxpeoplesmusic.com/uploads/1/3/0/8/130874495/kigevusepufe_nomigisu_nolokuxe_lakobugujokude.pdf
    • https://cdn.shopify.com/s/files/1/0428/1237/5207/files/48103845273.pdf
    • https://cdn.shopify.com/s/files/1/0431/0820/4701/files/43683972175.pdf
    • https://cdn.shopify.com/s/files/1/0433/6441/7695/files/fanuc_alarm_codes_manual.pdf
    • https://cdn.shopify.com/s/files/1/0432/2390/8520/files/75924187086.pdf
    • https://cdn.shopify.com/s/files/1/0441/4645/8776/files/sukoxuvovokuvetifi.pdf
    • https://cdn.shopify.com/s/files/1/0431/4932/8533/files/33120946476.pdf
    • https://cdn.shopify.com/s/files/1/0437/7152/7325/files/55953572239.pdf
    • https://cdn.shopify.com/s/files/1/0432/5320/3102/files/wasutevezusiralobaxeloda.pdf
    • https://cdn.shopify.com/s/files/1/0431/3815/4657/files/bepewemelude.pdf
    • https://cdn.shopify.com/s/files/1/0433/4944/2713/files/daduxemaxuru.pdf
    • https://cdn.shopify.com/s/files/1/0433/1310/2998/files/tabom.pdf
    • https://cdn.shopify.com/s/files/1/0430/0609/9605/files/xatasufiroduka.pdf
    • https://cdn.shopify.com/s/files/1/0432/9183/6566/files/31991068408.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00006aa5.bin
0a05444417ccd93d4dac03021bfb4b792b06bcfcf40abd935b484aabb3700eb3		 pdf-font-stream PDF embedded font (sfnt) at offset 0x6AA5 5544 bytes
font_01_sfnt_off00007d86.bin
c88c117315ccfa20d35931b089c8c3a2cc47f577532a2c20f18d0d626df9ab57		 pdf-font-stream PDF embedded font (sfnt) at offset 0x7D86 10728 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.