Malicious PDF — malware analysis report

Static analysis result for SHA-256 f4189f4a8e53fb5e…

MALICIOUS

PDF

37.1 KB Created: 2020-08-09 02:46:02 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 560983dc568bbaa551a9563bdfd566e1 SHA-1: 131d4d3c590d48f430297004618e5981eadba8cc SHA-256: f4189f4a8e53fb5e021056d9d55b3d10f86359d81b3ded1a1d42010c8b29c33b
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF file contains a significant number of embedded links, with one identified as a known malicious redirector. The heuristic firings indicate a PDF link farm, suggesting the primary purpose is to lure users to external malicious sites. The document body, though heavily obfuscated, contains the malicious URL, reinforcing the attack pattern. No scripts were extracted from this sample.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.ru/pify?keyword=articles+a+an+the+grammar+exercises+pdf
    • http://files.jamesbaylee.com/uploads/1/3/1/4/131453536/8479925.pdf
    • http://files.blueridgeperformingarts.com/uploads/1/3/2/7/132712315/8022532.pdf
    • http://files.barkerstrathcatholic.com/uploads/1/3/1/8/131856318/tirugaterajob_pajibumus_vukajitelo.pdf
    • http://files.lowerbrimleycoombefarm.com/uploads/1/3/1/4/131454270/078ee1ff.pdf
    • https://cdn.shopify.com/s/files/1/0435/1141/4943/files/54534083784.pdf
    • https://cdn.shopify.com/s/files/1/0429/9161/6153/files/dr._wayne_dyer.pdf
    • https://cdn.shopify.com/s/files/1/0436/3301/6982/files/aneurisma_cerebral_causas.pdf
    • https://cdn.shopify.com/s/files/1/0443/0092/7132/files/tagolivo.pdf
    • https://cdn.shopify.com/s/files/1/0428/9144/4390/files/budding_in_bacteria.pdf
    • https://cdn.shopify.com/s/files/1/0435/2131/0875/files/44273516082.pdf
    • https://cdn.shopify.com/s/files/1/0434/1635/4977/files/electrical_engineering_by_bl_theraja.pdf
    • https://cdn.shopify.com/s/files/1/0434/4614/1093/files/81373864692.pdf
    • https://cdn.shopify.com/s/files/1/0430/0174/1463/files/aleph_borges_english.pdf
    • https://cdn.shopify.com/s/files/1/0434/4132/4184/files/fusadenavigasif.pdf
    • https://cdn.shopify.com/s/files/1/0433/9888/9635/files/nunca_foi_sorte_livro_adriana_sant_anna.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000522a.bin
1c82579bdb65b43ea541b7d716f8dddfcf3ae088e058b8d361be88cce5a83891		 pdf-font-stream PDF embedded font (sfnt) at offset 0x522A 5628 bytes
font_01_sfnt_off0000652a.bin
cb9370e086c414dc8908ce20b67fda3cbbdbd4f0fa54f05fe52b1c53f9d180f0		 pdf-font-stream PDF embedded font (sfnt) at offset 0x652A 9988 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.