Malicious PDF — malware analysis report

Static analysis result for SHA-256 eb0952d34c8654c1…

MALICIOUS

PDF

38.5 KB Created: 2020-08-23 20:05:08 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 5f8dfd16940de4eb53f4cea22a2b3500 SHA-1: acb3d80e855adf668af4496b3131b4c34754d9aa SHA-256: eb0952d34c8654c12218ad31f0a1e2324edcd579c0694d398ee316bd3a944c27
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF contains a link farm designed to appear as free templates, but the primary URL leads to a known malicious redirector. This indicates a social engineering attempt to direct users to malicious content. The document body, though heavily obfuscated, contains the primary malicious URL and references to templates, reinforcing the lure.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.ru/pify?keyword=movie+poster+psd+templates+free
    • http://divuju.keitastudio.com/uploads/1/3/1/3/131383839/pupuriwagolerovivas.pdf
    • http://pewixu.oksart1.com/uploads/1/3/1/3/131380429/4027261.pdf
    • https://cdn.shopify.com/s/files/1/0428/9835/8432/files/66916333827.pdf
    • https://cdn.shopify.com/s/files/1/0438/7835/1003/files/firefox_60._8.pdf
    • https://cdn.shopify.com/s/files/1/0432/2885/6477/files/farebuv.pdf
    • https://cdn.shopify.com/s/files/1/0437/7994/8695/files/european_food_safety_authority.pdf
    • https://cdn.shopify.com/s/files/1/0436/0998/1085/files/93495830487.pdf
    • https://cdn.shopify.com/s/files/1/0428/9835/8432/files/luvibuxunefipefijuli.pdf
    • https://cdn.shopify.com/s/files/1/0438/0321/3984/files/82947363347.pdf
    • https://cdn.shopify.com/s/files/1/0432/3360/7842/files/56644889206.pdf
    • https://cdn.shopify.com/s/files/1/0432/5592/2852/files/saaq_car_valuation_guide.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000599b.bin
c0454a05ec28e38d0698d296528ea685ed8f0145cd929a326c1f822fb93b7a77		 pdf-font-stream PDF embedded font (sfnt) at offset 0x599B 5252 bytes
font_01_sfnt_off00006b70.bin
73fed24572e3709f6bbd1624b567e9c137a03153a8c24042f6bd96ca11d3df02		 pdf-font-stream PDF embedded font (sfnt) at offset 0x6B70 10040 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.