Malicious PDF — malware analysis report

Static analysis result for SHA-256 ecd99191a988624d…

MALICIOUS

PDF

37.9 KB Created: 2020-08-20 23:41:08 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 5a97414b73b20f432d3feaba38407e03 SHA-1: 2efe21533802769d4fa08caae22629b9ff68e045 SHA-256: ecd99191a988624d7503e46242a7115b3cb40c1002fb5387ce60e6380a73061d
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF file contains a malicious redirector link disguised as a software plugin. The heuristic PDF_MALICIOUS_REDIRECTOR_LINK indicates that the primary link leads to known malicious infrastructure. The PDF_SEO_LINK_FARM heuristic suggests the document is part of a larger link farm, likely for SEO manipulation or to obscure the true destination. The embedded URL and the document body both point to the 'ireport plugin for netbeans' lure.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.com/pify?keyword=ireport+plugin+for+netbeans
    • http://xiwawuzi.boostsportsconsulting.com/uploads/1/3/1/3/131380429/nexabu-wotegu.pdf
    • http://jeboga.skintwalletsusa.com/uploads/1/3/0/7/130775934/8b67929492167dd.pdf
    • http://mebetajim.bluethunderbirdwoman.com/uploads/1/3/0/7/130739892/ruwetezare.pdf
    • http://files.pilotskb.com/uploads/1/3/1/4/131482878/vinoginefate.pdf
    • http://files.talsegevphotos.com/uploads/1/3/1/1/131164046/4664459.pdf
    • https://cdn.shopify.com/s/files/1/0438/3057/5266/files/xorifem.pdf
    • https://cdn.shopify.com/s/files/1/0428/9835/8432/files/7868051279.pdf
    • https://cdn.shopify.com/s/files/1/0435/2232/6696/files/xanagatojar.pdf
    • https://cdn.shopify.com/s/files/1/0435/4444/5092/files/nonolisunonowosolabaxaxo.pdf
    • https://cdn.shopify.com/s/files/1/0429/5950/3519/files/94652316372.pdf
    • https://cdn.shopify.com/s/files/1/0437/3564/6357/files/21912557281.pdf
    • https://cdn.shopify.com/s/files/1/0433/6068/2139/files/64246417973.pdf
    • https://cdn.shopify.com/s/files/1/0429/3863/0300/files/calculus_early_transcendentals_briggs_cochran.pdf
    • https://cdn.shopify.com/s/files/1/0428/6365/7119/files/wuradosorafunu.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000572c.bin
0896e6939dfba42ab27b84d020723688ac6790af3f431ffafdeffb2d8ab06abd		 pdf-font-stream PDF embedded font (sfnt) at offset 0x572C 5148 bytes
font_01_sfnt_off000068b0.bin
8b41f9b09ab0ea31c7083a3f004bf88a89372f3358dd881d1c307a5bb31b8478		 pdf-font-stream PDF embedded font (sfnt) at offset 0x68B0 9504 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.