Malicious PDF — malware analysis report

Static analysis result for SHA-256 3a8ab69083b9c3fa…

MALICIOUS

PDF

42.2 KB Created: 2020-07-30 20:13:15 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 6e86782a29ca2cde4f8aa792cb0fc986 SHA-1: 69a9e7d1a5e4a9c408a5b27091fc57d8872e2990 SHA-256: 3a8ab69083b9c3fa3db5401e8233818aa660463526d992873addd38bcd567e1b
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF file contains multiple embedded links, with a critical heuristic firing indicating a malicious redirector. The document body, though heavily obfuscated, suggests a title related to 'Arabian dances roland barrett pdf', which is likely a lure. The presence of numerous links, many pointing to Shopify domains, suggests a link farm or SEO manipulation tactic to drive traffic to the malicious redirector.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.ru/pify?keyword=arabian+dances+roland+barrett+pdf
    • http://files.clarevet.com/uploads/1/3/2/8/132816042/6865789.pdf
    • http://files.onlineenglishacademyofseattle.com/uploads/1/3/0/8/130874017/7aeca.pdf
    • http://files.lauramartier.com/uploads/1/3/1/6/131637529/jotatapi.pdf
    • http://files.whippoorwillwoods-raynham.com/uploads/1/3/0/7/130740158/jibabixawab.pdf
    • http://files.whippoorwillwoods-raynham.com/uploads/1/3/0/7/
    • https://cdn.shopify.com/s/files/1/0435/0686/0187/files/58128752813.pdf
    • https://cdn.shopify.com/s/files/1/0431/9779/2420/files/wowepigoxopapanomad.pdf
    • https://cdn.shopify.com/s/files/1/0437/4803/2666/files/vofimizujawunujuzofizuz.pdf
    • https://cdn.shopify.com/s/files/1/0432/7066/8453/files/winipusepanejolojatiz.pdf
    • https://cdn.shopify.com/s/files/1/0433/0687/7080/files/toraladomokipina.pdf
    • https://cdn.shopify.com/s/files/1/0432/5549/6866/files/jagakobomisaxuvawemub.pdf
    • https://cdn.shopify.com/s/files/1/0437/6212/2903/files/77949646712.pdf
    • https://cdn.shopify.com/s/files/1/0430/2451/5229/files/12349006410.pdf
    • https://cdn.shopify.com/s/files/1/0429/5150/8131/files/62840426092.pdf
    • https://cdn.shopify.com/s/files/1/0433/6759/6184/files/9298232724.pdf
    • https://cdn.shopify.com/s/files/1/0428/9835/8432/files/37263727017.pdf
    • https://cdn.shopify.com/s/files/1/0431/7573/9553/files/mibubidubupev.pdf
    • https://cdn.shopify.com/s/files/1/0431/9825/1165/files/66133513741.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00006706.bin
e801ad94a41bd4d198735718cff952973d18fbe7918a088e0e433c6046947f31		 pdf-font-stream PDF embedded font (sfnt) at offset 0x6706 5064 bytes
font_01_sfnt_off00007832.bin
34aec264179fc17eb76f365b5bfd4378732fb0a9862b62017dcb9a9668706984		 pdf-font-stream PDF embedded font (sfnt) at offset 0x7832 10348 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.