Malicious PDF — malware analysis report

Static analysis result for SHA-256 fb87f9b7326fd99e…

MALICIOUS

PDF

42.2 KB Created: 2020-07-29 08:07:50 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 69378706b7c14ee80959ea6fde012a51 SHA-1: 7870097e23482b9ab29dfe654b99a537348c1857 SHA-256: fb87f9b7326fd99ea5ecc823083cb7a1525d5812e28787fb7fc2f943f247a8fb
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF file contains a large number of embedded links, many of which point to external PDFs hosted on Shopify. One prominent URL, 'https://ttraff.com/pify?keyword=american+heart+association+hyperlipidemia+guidelines', is identified as a malicious redirector. This suggests the document is designed to funnel users through a series of links, potentially leading to malicious content or phishing sites, under the guise of providing health guidelines.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.com/pify?keyword=american+heart+association+hyperlipidemia+guidelines
    • http://files.fellowshipchapel.net/uploads/1/3/1/3/131379689/nazipudugoxipebumob.pdf
    • http://files.threeorbs.net/uploads/1/3/0/8/130814931/kisodidomigo_paposijipekupo_tilalirimevoguf_xakapu.pdf
    • http://files.cavanaghart.com/uploads/1/3/0/7/130739371/falugubaxedutezaxuze.pdf
    • http://files.my31sisters.org/uploads/1/3/2/6/132695629/rolox.pdf
    • http://files.cavanaghart.com/uploads/1/3/0/7/130739371/falugub
    • https://cdn.shopify.com/s/files/1/0428/9835/8432/files/zupapinited.pdf
    • https://cdn.shopify.com/s/files/1/0435/8524/1256/files/vafedovedokepuwudekudel.pdf
    • https://cdn.shopify.com/s/files/1/0432/5064/7204/files/99994724678.pdf
    • https://cdn.shopify.com/s/files/1/0431/1482/3844/files/42614040815.pdf
    • https://cdn.shopify.com/s/files/1/0428/9835/8432/files/tanedikefiresemur.pdf
    • https://cdn.shopify.com/s/files/1/0433/0687/7080/files/56325204281.pdf
    • https://cdn.shopify.com/s/files/1/0435/1157/8776/files/19872952329.pdf
    • https://cdn.shopify.com/s/files/1/0430/5872/5018/files/68319857154.pdf
    • https://cdn.shopify.com/s/files/1/0430/5698/8311/files/nemonibujux.pdf
    • https://cdn.shopify.com/s/files/1/0429/6422/2101/files/25235932842.pdf
    • https://cdn.shopify.com/s/files/1/0437/4170/8453/files/43916272506.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000641e.bin
89507500c27bb7a9f01e6d9165ca5b013609436db326ee079437833aa3bdb7d8		 pdf-font-stream PDF embedded font (sfnt) at offset 0x641E 5460 bytes
font_01_sfnt_off0000767f.bin
beeab4cd4b4df5839d1cced773a420cc5f85173ddbfc7f2f81e67db519d2750b		 pdf-font-stream PDF embedded font (sfnt) at offset 0x767F 11284 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.