Malicious PDF — malware analysis report

Static analysis result for SHA-256 f94c0ff28da11df8…

MALICIOUS

PDF

42.7 KB Created: 2020-08-09 06:43:58 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 3bf497892d1ec2ae7dfed881a076d6e5 SHA-1: 372a5a69bbad91bfe64a20f98feefcba9025103e SHA-256: f94c0ff28da11df85e0c215861f8c842d43f642133487e43efa7d4e4c27b58be
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF contains numerous embedded links, with a critical heuristic firing for a malicious redirector. The document body, though heavily obfuscated, includes text related to financial administration and the malicious URL, suggesting a lure to a phishing or malware distribution site. The presence of a link farm further indicates malicious intent.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.com/pify?keyword=administracion+financiera+internacional+madura+pdf
    • http://files.alexandramcintoshlaw.com/uploads/1/3/1/3/131379594/203508.pdf
    • http://titozed.smartfirstaidcprtraining.com/uploads/1/3/2/7/132712615/vufiwirilovofiz-pomisu-zumejivunenig-sojipot.pdf
    • http://files.marcdurand.net/uploads/1/3/1/3/131382032/e63f16f442ec032.pdf
    • http://files.kaconsulting.org/uploads/1/3/0/7/130775366/rulimal-funesawafonam-tulozizaxakagu-tafilegejanidu.pdf
    • http://files.democraticcoalition.org/uploads/1/3/1/4/131437689/fabigo-legajozos.pdf
    • https://cdn.shopify.com/s/files/1/0431/2868/4701/files/78285346061.pdf
    • https://cdn.shopify.com/s/files/1/0427/5650/5756/files/komoxubuwuruwox.pdf
    • https://cdn.shopify.com/s/files/1/0430/1206/3391/files/gosaxopagipatezezubi.pdf
    • https://cdn.shopify.com/s/files/1/0433/2778/3080/files/robifodoxuzoduzejurazifed.pdf
    • https://cdn.shopify.com/s/files/1/0450/2405/1358/files/whois_godaddy_com.pdf
    • https://cdn.shopify.com/s/files/1/0436/0490/2051/files/omni_disk_sweeper.pdf
    • https://cdn.shopify.com/s/files/1/0432/7312/6052/files/46745688971.pdf
    • https://cdn.shopify.com/s/files/1/0429/1067/9203/files/affairscloud_weekly_september.pdf
    • https://cdn.shopify.com/s/files/1/0428/7227/5103/files/3983770781.pdf
    • https://cdn.shopify.com/s/files/1/0441/0654/7352/files/22878992818.pdf
    • https://cdn.shopify.com/s/files/1/0428/3029/9292/files/vijowinil.pdf
    • https://cdn.shopify.com/s/files/1/0429/1638/0831/files/94837498429.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000065a9.bin
23349700d9c0ef23d76b6da1c5852c50383fa3854e0cb057abf88abc5d480fab		 pdf-font-stream PDF embedded font (sfnt) at offset 0x65A9 5288 bytes
font_01_sfnt_off00007793.bin
cb2c68d3d8eb0d136c95f3447708496669ea9f33ae000161e4fc3f89b02e44eb		 pdf-font-stream PDF embedded font (sfnt) at offset 0x7793 11052 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.