Malicious PDF — malware analysis report

Static analysis result for SHA-256 2755e6ada90e788f…

MALICIOUS

PDF

43.3 KB Created: 2020-09-01 05:27:14 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 4fc92157b82250e8e84194cec90a0393 SHA-1: a57130e91fa23aefb016cac36c9b9c7d35db6080 SHA-256: 2755e6ada90e788f39ef8c90c2a9884d02b958796a77a30895731684e180b574
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF file contains a large number of embedded links, many of which point to what appears to be a link farm designed for SEO manipulation. One critical heuristic firing indicates a direct link to a known malicious redirector. The document body, though heavily obfuscated, contains a URL that matches the redirector. This suggests the primary goal is to redirect users to malicious content, likely for phishing or malware distribution.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.me/wix?keyword=din+bold+italic+free+font
    • https://cdn.shopify.com/s/files/1/0427/6381/3020/files/1961818588.pdf
    • https://cdn.shopify.com/s/files/1/0464/0279/7723/files/fortigate_rugged_90d_datasheet.pdf
    • https://cdn.shopify.com/s/files/1/0433/0687/7080/files/mowajuvide.pdf
    • https://static.usrfiles.com/ugd/ae15ca_3f3b5307c2384eddaee968204e5c4f24.pdf
    • https://static.usrfiles.com/ugd/b8c837_053808e8de0a4b62b6f65f7f8946bbac.pdf
    • https://static.usrfiles.com/ugd/3e87bf_8e6efb7ee50e47ed8c1366c0da56b688.pdf
    • https://static.usrfiles.com/ugd/2ac701_53e40e2e180c4e739705f3d735645492.pdf
    • https://static.usrfiles.com/ugd/f523c3_c0d9b7572c7740ae8ca298c883a2aebc.pdf
    • https://cdn.shopify.com/s/files/1/0435/9536/6559/files/angular_template_variable_type.pdf
    • https://cdn.shopify.com/s/files/1/0433/1231/6584/files/31487900886.pdf
    • https://static.usrfiles.com/ugd/b8c837_c10df7e889f44bc28994c76d4aa99e78.pdf
    • https://static.usrfiles.com/ugd/b8c837_9ee590db22b0406ab72ad62683a0418b.pdf
    • https://static.usrfiles.com/ugd/8ab72e_7c202e3127c7478f8573c28ee9b15e9a.pdf
    • https://static.usrfiles.com/ugd/b8c837_34bfc55053e041deb60ee9458944597e.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000057cf.bin
d7f9f91eec66f29cd6b32238ba8fb2388ea8caedb7eb33145995d3ab2b44ed5a		 pdf-font-stream PDF embedded font (sfnt) at offset 0x57CF 4976 bytes
font_01_sfnt_off000068c5.bin
89061146bf50f95885dc2b4a7ff6a491afe5cc663ca2e7cb66476f6a7ea45510		 pdf-font-stream PDF embedded font (sfnt) at offset 0x68C5 9996 bytes
font_02_sfnt_off00008b5d.bin
2a726e4d8e078a4a4a6a0bed67b139344cab8167eb027720faf42c08020076b2		 pdf-font-stream PDF embedded font (sfnt) at offset 0x8B5D 16120 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.