Malicious PDF — malware analysis report

Static analysis result for SHA-256 f8dcc64d74f41c6c…

MALICIOUS

PDF

31.5 KB Created: 2020-08-01 17:35:09 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 40581bed8dde5e7796e0069bf35defd3 SHA-1: 984d2fee2dca959af66ce2b62e893a9ba2e1e54b SHA-256: f8dcc64d74f41c6c951846fe3c5daf3bc558a10bb14c7829705bdb2f73b42627
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF document contains a large number of embedded links, with one identified as a malicious redirector. The document body, though heavily obfuscated, contains references to a 'Simon xt user manual' and numerous URLs pointing to PDF files hosted on various domains, including Shopify. This suggests a link farm or phishing lure designed to redirect users to malicious content. No scripts were extracted from this sample.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.ru/pify?keyword=simon+xt+user+manual
    • http://files.mrmatt.org/uploads/1/3/0/7/130738859/sojawoli.pdf
    • http://files.helpbuildit.net/uploads/1/3/1/4/131409498/tawufufikowa_vevojuvijogej_kefepuj_silorixi.pdf
    • http://files.amodeosfarm.com/uploads/1/3/2/7/132712306/jitikew.pdf
    • http://files.livingcoaster.com/uploads/1/3/2/6/132681690/5215431.pdf
    • https://cdn.shopify.com/s/files/1/0431/9982/4032/files/lidowapuputabebot.pdf
    • https://cdn.shopify.com/s/files/1/0436/0539/3571/files/250972212.pdf
    • https://cdn.shopify.com/s/files/1/0429/1385/7692/files/famezi.pdf
    • https://cdn.shopify.com/s/files/1/0430/0118/4417/files/85981292527.pdf
    • https://cdn.shopify.com/s/files/1/0433/0687/7080/files/tizisixurodegu.pdf
    • https://cdn.shopify.com/s/files/1/0435/4719/7594/files/wugomebotosinorulalunuzob.pdf
    • https://cdn.shopify.com/s/files/1/0429/7211/9193/files/36055962558.pdf
    • https://cdn.shopify.com/s/files/1/0427/8901/1612/files/8123003949.pdf
    • https://cdn.shopify.com/s/files/1/0431/2917/6232/files/momod.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00004389.bin
16cdd9b05842a9b521141a9b095610ce789d6465c54a124777c0e2483160e9ec		 pdf-font-stream PDF embedded font (sfnt) at offset 0x4389 5004 bytes
font_01_sfnt_off0000546f.bin
5eec2facb96030e94591c3a5c9abbe014a31c798b829eec630add5f7c4151fe7		 pdf-font-stream PDF embedded font (sfnt) at offset 0x546F 8568 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.