Malicious PDF — malware analysis report

Static analysis result for SHA-256 f5f0264bb9350f5d…

MALICIOUS

PDF

46.1 KB Created: 2020-07-20 03:13:14 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 6ddb39e2bf3a9d2afea5deaad1684ea7 SHA-1: 31558c7485e95aa9c8d2716bd4599b3abcc6404f SHA-256: f5f0264bb9350f5d8bb7a4b9d0241440bcbc8ccbbc48d6d037f538ad20b83ee0
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF contains a critical heuristic firing for a malicious redirector link, directing users to a URL associated with malicious infrastructure. Additionally, it exhibits characteristics of a PDF link farm, suggesting an attempt to manipulate search engine results or distribute links broadly. The embedded URL is the primary indicator of malicious intent, likely leading to a phishing or malware distribution site.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.cc/wb?keyword=2018%20honda%20africa%20twin%20dct%20vs%20manual
    • http://files.newbeginningsintuitive.com/uploads/1/3/0/7/130774964/lamif.pdf
    • http://files.spencerkezhouxiao.com/uploads/1/3/2/6/132681153/6825073.pdf
    • http://files.indiachinaconjunctures.org/uploads/1/3/0/7/130776743/6763032.pdf
    • https://nubafegurobu.files.wordpress.com/2020/06/90941265605.pdf
    • https://kodelemepopi.files.wordpress.com/2020/07/38453228789.pdf
    • https://pajojadede.files.wordpress.com/2020/07/dilipegoxuxuvujef.pdf
    • https://tilakomo.files.wordpress.com/2020/07/jusedipex.pdf
    • https://rudukaleditu308957543.files.wordpress.com/2020/07/poxulinube.pdf
    • https://dojobavoviz.files.wordpress.com/2020/06/ratapobopuligabisawu.pdf
    • https://ronoretexupo.files.wordpress.com/2020/06/werijod.pdf
    • https://cdn.shopify.com/s/files/1/0431/1616/7328/files/56648414905.pdf
    • https://cdn.shopify.com/s/files/1/0432/0008/6180/files/jiwidenesipodexur.pdf
    • https://cdn.shopify.com/s/files/1/0433/0687/7080/files/41267837863.pdf
    • https://cdn.shopify.com/s/files/1/0428/9275/5103/files/zawodivefokelupirumebi.pdf
    • https://cdn.shopify.com/s/files/1/0428/8380/9439/files/gobeguwotupaj.pdf
    • https://cdn.shopify.com/s/files/1/0428/4468/4454/files/vabasavowifatevedavesuk.pdf
    • https://cdn.shopify.com/s/files/1/0430/2818/5239/files/54518841158.pdf
    • https://cdn.shopify.com/s/files/1/0432/5395/6758/files/28506838945.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000075de.bin
74f188636062ef619db68a8a7083ee2c282a98d31c355e871462b1872bbb242d		 pdf-font-stream PDF embedded font (sfnt) at offset 0x75DE 5604 bytes
font_01_sfnt_off000088c0.bin
0a7fcae1d38dcb81b35f40a8a93e0a2a5586b9e817cb92c59c61529bc0bc6461		 pdf-font-stream PDF embedded font (sfnt) at offset 0x88C0 10016 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.