Malicious PDF — malware analysis report

Static analysis result for SHA-256 1e1e07fe73c5e33b…

MALICIOUS

PDF

50.7 KB Created: 2020-08-22 00:51:27 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: e0c99ed95c6105c521f5227fbfe05671 SHA-1: af2db1dcb62945339eb507275bdb58f5ce02ebae SHA-256: 1e1e07fe73c5e33b0aff99782cfe44c0f4733289250109baf1d729f28a2b6c8e
162 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF contains a high number of embedded links, many pointing to shopify.com domains, but one critical link directs to a known malicious redirector. The document also includes a lure for password-protected archives, suggesting a multi-stage attack. The presence of numerous external links indicates a link farm strategy, potentially for SEO poisoning or to distribute further malicious content.

Heuristics 4

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Password-protected archive handoff high SE_PASSWORD_ARCHIVE_LURE
    Document gives password instructions for an archive or attachment — often used to keep payloads encrypted until after gateway scanning
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.cc/pify?keyword=lake+aquilla+fishing+report+2019
    • http://files.kainielsen.org/uploads/1/3/0/8/130874104/23e750.pdf
    • http://files.conortully.com/uploads/1/3/1/6/131637072/jizujizexibate.pdf
    • https://cdn.shopify.com/s/files/1/0430/2218/8701/files/cod_aw_emblem_editor.pdf
    • https://cdn.shopify.com/s/files/1/0432/9160/7190/files/xubukupol.pdf
    • https://cdn.shopify.com/s/files/1/0430/2936/4885/files/84153806147.pdf
    • https://cdn.shopify.com/s/files/1/0430/6275/5490/files/31014145725.pdf
    • https://cdn.shopify.com/s/files/1/0438/0046/1474/files/ms_sql_server_developer.pdf
    • https://cdn.shopify.com/s/files/1/0429/3686/0839/files/vufudiwi.pdf
    • https://cdn.shopify.com/s/files/1/0430/5358/0441/files/47921237267.pdf
    • https://cdn.shopify.com/s/files/1/0428/9822/7353/files/wonigilila.pdf
    • https://cdn.shopify.com/s/files/1/0432/5621/7750/files/multinomial_logistic_regression.pdf
    • https://cdn.shopify.com/s/files/1/0431/8520/9507/files/practically_speaking.pdf
    • https://cdn.shopify.com/s/files/1/0433/4374/1083/files/xaxerewanibuni.pdf
    • https://cdn.shopify.com/s/files/1/0431/4411/8423/files/96909916318.pdf
    • https://cdn.shopify.com/s/files/1/0430/8749/5321/files/nufeg.pdf
    • https://cdn.shopify.com/s/files/1/0431/1855/9393/files/17202383774.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00008739.bin
d4d3154b6cfe633a93120e1859d3eb56bfdd296ffd2c0ad86080cd7bb2a7cb91		 pdf-font-stream PDF embedded font (sfnt) at offset 0x8739 5776 bytes
font_01_sfnt_off00009ae0.bin
fb96ad898cc90a5d6dba3f3138cd35ede2999cba080267fb756bc03e55c65565		 pdf-font-stream PDF embedded font (sfnt) at offset 0x9AE0 10288 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.