Malicious PDF — malware analysis report

Static analysis result for SHA-256 ee680d6279327bcb…

MALICIOUS

PDF

51.1 KB Created: 2020-08-10 07:00:04 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 879ba1dadb61064fbdcd7095f7db48e0 SHA-1: 8340c26cf2e65c54cf2e15763b984d9fa36b04d8 SHA-256: ee680d6279327bcb6c57a3fdf449421cab4b82383e975d03a990037bbc725189
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF document contains a mass external link farm, with a primary malicious redirector URL embedded. This indicates a phishing or social engineering attempt to lure the user to malicious infrastructure. The document body, though heavily obfuscated, contains the malicious URL and other benign-looking URLs, likely to appear legitimate. No scripts were extracted from this sample.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.cc/pify?keyword=islamic+finance+and+banking+system+pdf
    • http://files.kaushikthallapally.com/uploads/1/3/1/3/131381555/1790553bd1.pdf
    • http://files.fpaterson.com/uploads/1/3/1/0/131070009/1683092.pdf
    • http://files.topmattfnq.com/uploads/1/3/1/3/131381464/6aaada781780.pdf
    • https://cdn.shopify.com/s/files/1/0446/0825/8211/files/automotive_technician_resume.pdf
    • https://cdn.shopify.com/s/files/1/0432/4796/0232/files/black_and_decker_weed_wacker_string.pdf
    • https://cdn.shopify.com/s/files/1/0435/9965/9176/files/kazile.pdf
    • https://cdn.shopify.com/s/files/1/0433/4387/2150/files/26990087226.pdf
    • https://cdn.shopify.com/s/files/1/0435/8668/3037/files/plazas_4th_edition.pdf
    • https://cdn.shopify.com/s/files/1/0433/7562/4355/files/noboreziwuz.pdf
    • https://cdn.shopify.com/s/files/1/0446/3663/5299/files/eenadu_epaper_online_today.pdf
    • https://cdn.shopify.com/s/files/1/0437/5497/9477/files/centrifugal_and_axial_flow_pumps.pdf
    • https://cdn.shopify.com/s/files/1/0433/6104/2591/files/48162488995.pdf
    • https://cdn.shopify.com/s/files/1/0436/4579/6512/files/tifetujofakipapozopil.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000886d.bin
a43d3277e22533d0fb22ceb57eaadd5d2fffb0fdfe8d67a091b8c1ebd401f66c		 pdf-font-stream PDF embedded font (sfnt) at offset 0x886D 5624 bytes
font_01_sfnt_off00009b88.bin
a7118acd262b6d89374e13ff37a746e573d6ff8f34a8911b40026ab22fea6f71		 pdf-font-stream PDF embedded font (sfnt) at offset 0x9B88 10644 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.