Malicious PDF — malware analysis report

Static analysis result for SHA-256 f57159c2c8b58207…

MALICIOUS

PDF

45.1 KB Created: 2020-08-25 03:07:33 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 3f0263cb558158c6d33ea3b7537f4b66 SHA-1: 3149ffbf882716e4d8eea3193cc6d8f7b8be2867 SHA-256: f57159c2c8b582079b64e18be89e39b411cead418df0d5bc3c8b3fd60ef4ae39
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF file was identified as malicious due to the presence of a large number of embedded links, a technique often used to redirect users to malicious sites or distribute malware. One critical heuristic firing specifically flagged a link to known malicious redirector infrastructure. While the document body contains garbled text and what appears to be metadata, the primary threat stems from the link farm. No scripts were extracted from this sample.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.ru/pify?keyword=mesozoic+era+life+forms
    • http://files.akersart.com/uploads/1/3/2/6/132681771/noziwasowikewe.pdf
    • http://basovuxul.frankvanbogaert.com/uploads/1/3/1/0/131070331/b762cad73db21.pdf
    • https://cdn.shopify.com/s/files/1/0461/3390/3513/files/congressional_committees_worksheet.pdf
    • https://cdn.shopify.com/s/files/1/0428/0962/2687/files/zafilitafuwovesoboz.pdf
    • https://cdn.shopify.com/s/files/1/0428/9291/8937/files/jewogoramibitazutunokome.pdf
    • https://cdn.shopify.com/s/files/1/0439/9969/0910/files/lixejafawenotikidipul.pdf
    • https://cdn.shopify.com/s/files/1/0433/4908/2264/files/59325258559.pdf
    • https://cdn.shopify.com/s/files/1/0440/6290/0374/files/ak_47_manual.pdf
    • https://cdn.shopify.com/s/files/1/0435/3766/2103/files/malawi_cichlids_book.pdf
    • https://cdn.shopify.com/s/files/1/0427/7341/4055/files/samotefikiti.pdf
    • https://cdn.shopify.com/s/files/1/0433/4632/9750/files/bixaropopujo.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000731c.bin
41a1792d8b647041eea8c63d01ab72d856295e995528091e8d2f28e4a95a9b81		 pdf-font-stream PDF embedded font (sfnt) at offset 0x731C 5084 bytes
font_01_sfnt_off00008458.bin
6aaa2536701b9bc7e4e032e928b6124f049167c672b1e5234567fdfa9c16658f		 pdf-font-stream PDF embedded font (sfnt) at offset 0x8458 10404 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.