Malicious PDF — malware analysis report

Static analysis result for SHA-256 f8ebd9f39ef0a24a…

MALICIOUS

PDF

40.7 KB Created: 2020-09-18 06:15:19 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 3b4eaa7c70a6aa4115fe8af48c7382ed SHA-1: 491042f62b31cc1bc65be37e8be8b5daa32d20ba SHA-256: f8ebd9f39ef0a24a2892c2785b43ebe0170b6ae90f30998946499f3e45359c70
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF file was identified as malicious due to the presence of a large number of embedded links, a technique often used for SEO spam or to redirect users to malicious sites. One of the embedded URLs, 'https://ttraff.link/wix?keyword=what+is+nahso4', is flagged as a known malicious redirector. The document body contains garbled text but also includes the same URLs, reinforcing the link-farming and redirection attack pattern. No scripts were extracted from this sample.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.link/wix?keyword=what+is+nahso4
    • http://files.lizbouk.com/uploads/1/3/0/8/130874063/kagebixaselamu-meben.pdf
    • http://pasafazik.englishwithtuttle.com/uploads/1/3/0/9/130969742/1940394.pdf
    • http://lemilote.tenshelpingtens.com/uploads/1/3/2/7/132712207/pemidos.pdf
    • http://tazutom.hinotefarms.com/uploads/1/3/1/4/131452942/vaxutobevapuluv.pdf
    • https://5c9f1b38-c9cd-462b-9e4b-3a12fabb9552.filesusr.com/ugd/9b7d8a_ecf83e4df20f41d0ac36bfe29fff5c67.pdf?index=true
    • https://ad41337e-3467-4b63-8ccb-b002202a3b27.filesusr.com/ugd/7598fa_6fd3d02f9e4e4c15996f1cbf3e628881.pdf?index=true
    • https://2459e085-10e4-49af-9d62-83d74f4211d5.filesusr.com/ugd/f515ca_e5a321ff0ee54f7cb1ffaf8c4342536e.pdf?index=true
    • https://448e8b55-1e01-4427-8c52-f3ade455e9aa.filesusr.com/ugd/904a8b_f9ab955dfe0a45f29f56061360079042.pdf?index=true
    • https://abf391b3-5376-43dc-8020-351ac9f7b4b7.filesusr.com/ugd/d4579c_0a4173533f74404dbea22a08f2a9032e.pdf?index=true
    • https://caca5d0c-9c6d-457b-83ac-08261fde043b.filesusr.com/ugd/4c1554_85386bc618514dca8a09e0a45a77b59a.pdf?index=true
    • https://cdn.shopify.com/s/files/1/0452/0011/3813/files/privileged_and_confidential_letter_template.pdf
    • https://cdn.shopify.com/s/files/1/0431/3192/8740/files/wudawufu.pdf
    • https://cdn.shopify.com/s/files/1/0433/5550/4795/files/british_dressage_elementary_test_sheets.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000061e7.bin
ae372bac2af6a022b4edc11e281dff39baafb6d842a83f7cf221f7132e25db41		 pdf-font-stream PDF embedded font (sfnt) at offset 0x61E7 4748 bytes
font_01_sfnt_off0000721e.bin
c9a6d49d36dca3f42302e0930ceb6f42b69ab43f852e0b4fed22dd9710e3f953		 pdf-font-stream PDF embedded font (sfnt) at offset 0x721E 10676 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.