Malicious PDF — malware analysis report

Static analysis result for SHA-256 f720b148d6ad625d…

MALICIOUS

PDF

45.2 KB Created: 2020-08-19 22:27:38 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 9fc08a62436223da321fdc4a2d4bd1c3 SHA-1: 6d47666115440e7c031e69407034e2448c4fbc23 SHA-256: f720b148d6ad625df3297f7eaa4d1a5662a0cc6507e83f351115bf7fe4e9f5ce
140 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 User Execution: Malicious Link

The PDF contains a critical heuristic indicating it links to known malicious redirector infrastructure, specifically a URL containing 'superannuation claim form cbus'. It also features a PDF link farm, with many links pointing to benign Shopify URLs but at least two unknown URLs hosted on suspicious domains. The document body, though heavily obfuscated, contains the same malicious URL and a benign-looking PDF link, suggesting a lure to a phishing or scam page.

Heuristics 4

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Callback phishing phone lure medium SE_CALLBACK_LURE
    Document asks the user to call a phone number in billing, refund, subscription, fraud, or security context — consistent with callback phishing or tech-support scam patterns
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.com/pify?keyword=superannuation+claim+form+cbus
    • http://begegafe.rynopowersports.com/uploads/1/3/2/7/132740978/nafetejemebuw_xalezada.pdf
    • http://gazitoxek.richfeenstra.com/uploads/1/3/1/4/131454215/soxewedulu_xunoromurato.pdf
    • https://cdn.shopify.com/s/files/1/0438/2982/1600/files/joledisoridipawawaxakoger.pdf
    • https://cdn.shopify.com/s/files/1/0430/2834/9085/files/70164170471.pdf
    • https://cdn.shopify.com/s/files/1/0434/5180/9957/files/63523526395.pdf
    • https://cdn.shopify.com/s/files/1/0435/2881/4760/files/27582253058.pdf
    • https://cdn.shopify.com/s/files/1/0431/8419/3697/files/megan_rock_of_love_2.pdf
    • https://cdn.shopify.com/s/files/1/0437/5265/2951/files/lok_sabha_election_schedule_2020_in_west_bengal.pdf
    • https://cdn.shopify.com/s/files/1/0436/2534/9283/files/62956516321.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000070f9.bin
51f94606ec57c2a45c35b7fca7d8615011acb510bd6ae53c7ca90bdd54109e0a		 pdf-font-stream PDF embedded font (sfnt) at offset 0x70F9 5404 bytes
font_01_sfnt_off00008336.bin
8a4fc4de089872ebe56e41fef41e793801c6201bcefe73ae2b42e5cf89d4af34		 pdf-font-stream PDF embedded font (sfnt) at offset 0x8336 10800 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.