Malicious PDF — malware analysis report

Static analysis result for SHA-256 f9a674cd4dbe8e34…

MALICIOUS

PDF

40.6 KB Created: 2020-09-29 19:50:40 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 58c4ea9ea64cb450fd4a4d1365e7b715 SHA-1: 6764e914c02efc76e7e10f2b69cbe6480bff3776 SHA-256: f9a674cd4dbe8e34639efe35577d7da65691496102cb450d853a1363c3dcd10d
60 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF file contains a critical heuristic firing indicating a malicious redirector link. The embedded document body, though heavily obfuscated, also contains the primary malicious URL. This suggests the document's purpose is to lure the user to the malicious site, likely for phishing or malware distribution. No scripts were extracted, limiting further analysis of the payload.

Heuristics 2

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://gettraff.ru/strik?keyword=biometria+hematica+para+que+sirve+pdf
    • https://site-1036972.mozfiles.com/files/1036972/tunazozidomigubiwojajo.pdf
    • https://site-1037245.mozfiles.com/files/1037245/51769554654.pdf
    • https://site-1036629.mozfiles.com/files/1036629/79682714386.pdf
    • https://site-1036635.mozfiles.com/files/1036635/23938297584.pdf
    • http://nowevijuk.brew-tech.org/uploads/1/3/1/4/131437421/jubof.pdf
    • http://roxize.brianakenno.com/uploads/1/3/0/7/130776298/488823.pdf
    • http://files.lindseyiler.com/uploads/1/3/1/6/131637131/3868926.pdf
    • http://kowuri.baan-amorn.com/uploads/1/3/0/8/130814526/tevobikigewiwemanag.pdf
    • http://files.valiquet.com/uploads/1/3/1/3/131379706/xofowow-zegoronedeza.pdf
    • https://site-1036910.mozfiles.com/files/1036910/mogewiwagugogisudoxe.pdf
    • https://site-1037829.mozfiles.com/files/1037829/boropesanefeguritudawak.pdf
    • https://site-1036626.mozfiles.com/files/1036626/38698710612.pdf
    • https://site-1037073.mozfiles.com/files/1037073/gevajurefeguxidu.pdf
    • https://cdn.shopify.com/s/files/1/0429/3532/0735/files/soal_sbmptn_matematika_dasar_dan_pembahasan.pdf
    • https://cdn.shopify.com/s/files/1/0431/4464/2715/files/11743843192.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00005cc8.bin
946572f5c37c1698176831b1b588b2d74bd1fcea258d72f5da0c574935d123af		 pdf-font-stream PDF embedded font (sfnt) at offset 0x5CC8 5596 bytes
font_01_sfnt_off00006fa7.bin
9369d46324a2144da8ad6173cf069fdcc7d62629d79da31a33fc130f31799d60		 pdf-font-stream PDF embedded font (sfnt) at offset 0x6FA7 11240 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.