Malicious PDF — malware analysis report

Static analysis result for SHA-256 1c2ab3aa0cf46457…

MALICIOUS

PDF

41.8 KB Created: 2020-09-09 07:18:58 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 70d352822b83109f3b14b813fda23de6 SHA-1: d58c04fa9deb5a30622f500f0c03aefd9742b9e1 SHA-256: 1c2ab3aa0cf46457638d79640a289145044af1ee9aca7ada2763d690891efed4
128 Risk Score

Malware Insights

MITRE ATT&CK
T1204.002 Malicious Link T1566.002 Spearphishing Attachment

The PDF contains a malicious redirector link and a link farm, indicating a phishing or scam attempt. The presence of a 'download button' heuristic further supports a lure-based attack. The document body, though heavily obfuscated, contains the malicious URL and references to download templates, reinforcing the attack pattern. No scripts were extracted, limiting the analysis of further payload execution.

Heuristics 4

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTON
    Document contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.club/pify?keyword=word+gift+certificate+template+christmas
    • https://cdn.shopify.com/s/files/1/0457/4583/2092/files/44259088637.pdf
    • https://cdn.shopify.com/s/files/1/0437/5642/1269/files/tekonsha_p3_manual.pdf
    • https://cdn.shopify.com/s/files/1/0435/3641/6936/files/thinkorswim_demo_descarga_de_cuenta.pdf
    • https://cdn.shopify.com/s/files/1/0431/4929/5776/files/getedopoxow.pdf
    • https://cdn.shopify.com/s/files/1/0433/9171/3443/files/wodexotikulabun.pdf
    • https://cdn.shopify.com/s/files/1/0433/9413/8268/files/12902160390.pdf
    • https://cdn.shopify.com/s/files/1/0432/5693/8658/files/sample_letter_to_consulate_for_visitor_visa.pdf
    • https://cdn.shopify.com/s/files/1/0434/5816/6941/files/hyperdimension_neptunia_re_birth1_achievements_guide.pdf
    • https://cdn.shopify.com/s/files/1/0434/9270/4408/files/82629247981.pdf
    • https://cdn.shopify.com/s/files/1/0438/1189/7504/files/xafuni.pdf
    • https://cdn.shopify.com/s/files/1/0432/6454/0840/files/34156849650.pdf
    • https://cdn.shopify.com/s/files/1/0432/4697/7179/files/nemomenasabaxipojetojetu.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00006413.bin
a3649aafce3b7d770964a46bbc2aac2d3187dd30c018ab6c7d476ff0b35534cb		 pdf-font-stream PDF embedded font (sfnt) at offset 0x6413 5580 bytes
font_01_sfnt_off000076f7.bin
5f9221b759946028abb3581b43de7b855dc5877ce5def96f49307ff743374a3d		 pdf-font-stream PDF embedded font (sfnt) at offset 0x76F7 10428 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.