Malicious PDF — malware analysis report

Static analysis result for SHA-256 f376ed153373b029…

MALICIOUS

PDF

46.2 KB Created: 2020-08-10 09:44:25 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 1b343dadd82951bd369b0e33dbd9a855 SHA-1: dac68a6542b78bef2bb79f6b622f1f5e593d0be6 SHA-256: f376ed153373b02904f9faffc350a10ea1ad7e2ced762603b51d1db1601a7d0a
128 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF contains numerous embedded links, with a critical heuristic firing for a malicious redirector. The document body, though heavily obfuscated, contains text suggesting a lure for a 'pdf to editable word converter free' and includes the malicious redirector URL. This indicates the document is designed to trick users into visiting malicious sites, likely for further exploitation or credential harvesting.

Heuristics 4

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTON
    Document contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.com/pify?keyword=pdf+to+editable+word+converter+free
    • http://files.northliverpoolteachingschool.org/uploads/1/3/1/4/131437308/4a20ce9d.pdf
    • http://files.hheroez.com/uploads/1/3/1/4/131438128/nikopumil_sarujiful_dobuzuvefene.pdf
    • http://files.novamatmotors.com/uploads/1/3/0/7/130739895/f05aae97e62b.pdf
    • https://cdn.shopify.com/s/files/1/0435/0086/3640/files/15269297334.pdf
    • https://cdn.shopify.com/s/files/1/0432/0192/1184/files/29301363480.pdf
    • https://cdn.shopify.com/s/files/1/0432/4684/6107/files/kokenorapadididuj.pdf
    • https://cdn.shopify.com/s/files/1/0428/4642/1158/files/18152164990.pdf
    • https://cdn.shopify.com/s/files/1/0428/9835/8432/files/11783771814.pdf
    • https://cdn.shopify.com/s/files/1/0434/9942/1856/files/goxajowikos.pdf
    • https://cdn.shopify.com/s/files/1/0430/8379/2545/files/how_to_log_into_att_router.pdf
    • https://cdn.shopify.com/s/files/1/0430/9496/6436/files/wenofovasezanesokogi.pdf
    • https://cdn.shopify.com/s/files/1/0431/2976/6039/files/54416084056.pdf
    • https://cdn.shopify.com/s/files/1/0430/0704/9877/files/41036588397.pdf
    • https://cdn.shopify.com/s/files/1/0431/5719/2853/files/21096713537.pdf
    • https://cdn.shopify.com/s/files/1/0431/0066/8065/files/45364629980.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000768e.bin
52cf4f3c468e4436a821f70008e41df9a9c674f050ad0cd026a76a682d747690		 pdf-font-stream PDF embedded font (sfnt) at offset 0x768E 5128 bytes
font_01_sfnt_off0000882c.bin
191b22e68975f1d08282ce9773ac04cf449bea71a917022f4f6de4457ea2257d		 pdf-font-stream PDF embedded font (sfnt) at offset 0x882C 10572 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.