Malicious PDF — malware analysis report

Static analysis result for SHA-256 eb6e1b186e6a4100…

MALICIOUS

PDF

46.4 KB Created: 2020-08-12 05:07:51 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 7ada1e55da2e04c8fab5a2f818d58662 SHA-1: d9060f854ff9f8902d1db7b5d25af5a5fc0b98aa SHA-256: eb6e1b186e6a41005bc5572d6efc281fafae9032d135e237c24d7824be2361ea
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF file contains numerous embedded links, with a critical heuristic identifying a link to a known malicious redirector at https://ttraff.cc/pify?keyword=buck+saw+plans+pdf. The document body, though heavily obfuscated, also contains this URL, suggesting a lure to download further malicious content. The presence of a link farm heuristic further supports the malicious intent of distributing links to potentially harmful content.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.cc/pify?keyword=buck+saw+plans+pdf
    • http://pinaboj.bvhstigerettes.com/uploads/1/3/0/7/130740596/zelugajidijezot.pdf
    • http://files.mybutlerandmaid.com/uploads/1/3/0/7/130775291/dotaked.pdf
    • http://jufusexab.elilanguagemagazines.com/uploads/1/3/1/0/131070767/nujadotoramul.pdf
    • https://cdn.shopify.com/s/files/1/0454/2365/7118/files/5482190264.pdf
    • https://cdn.shopify.com/s/files/1/0432/4186/5375/files/81848133071.pdf
    • https://cdn.shopify.com/s/files/1/0432/4550/2626/files/mitsubishi_maintenance_schedule.pdf
    • https://cdn.shopify.com/s/files/1/0434/3654/0069/files/xegovowarakakitelorijero.pdf
    • https://cdn.shopify.com/s/files/1/0427/7446/2631/files/fubege.pdf
    • https://cdn.shopify.com/s/files/1/0433/3764/6245/files/tojivadifasawukubiterudo.pdf
    • https://cdn.shopify.com/s/files/1/0427/8163/8812/files/31150696497.pdf
    • https://cdn.shopify.com/s/files/1/0436/2970/7422/files/64727007444.pdf
    • https://cdn.shopify.com/s/files/1/0427/9821/9420/files/zimixuj.pdf
    • https://cdn.shopify.com/s/files/1/0428/9485/2252/files/pofowelodumoxojofufumijam.pdf
    • https://cdn.shopify.com/s/files/1/0432/3160/8989/files/20572547826.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00006f5b.bin
d315982e945d64b5323e198dfdacb106932c5e08551621e05426d231e93222dc		 pdf-font-stream PDF embedded font (sfnt) at offset 0x6F5B 5256 bytes
font_01_sfnt_off00008167.bin
a36eee06fef6ce219692c4ec918276ac99413e4fd1e3666e4031624f9289d620		 pdf-font-stream PDF embedded font (sfnt) at offset 0x8167 1800 bytes
font_02_sfnt_off000089f4.bin
7f2417d86e4add8c16c392e10d52621ed33b62b7506b0053b2eaa5d431451cca		 pdf-font-stream PDF embedded font (sfnt) at offset 0x89F4 10224 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.