Malicious PDF — malware analysis report

Static analysis result for SHA-256 4b1ed6c2dab928c5…

MALICIOUS

PDF

36.3 KB Created: 2020-09-01 05:52:32 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 7c21de72406846b585cd354c1e1c70f8 SHA-1: 748e2dcb2a6d84cfeda5e54e4536e4b94d97a7d1 SHA-256: 4b1ed6c2dab928c580c6b0b5146aa2de0ece42611e63736a536d036ecb70b22e
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF file contains a large number of external links, many of which point to PDF files hosted on Shopify. One specific link, however, directs to a known malicious redirector. This suggests a link farm or SEO poisoning attack, likely intended to lure users to malicious content. The document body itself is heavily obfuscated but contains the malicious redirector URL.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.link/wix?keyword=kuta+algebra+1+free+worksheets
    • https://cdn.shopify.com/s/files/1/0460/2249/2319/files/gerimomoresozegulavo.pdf
    • https://cdn.shopify.com/s/files/1/0431/6125/6096/files/rofudawidekozakadigororaj.pdf
    • https://cdn.shopify.com/s/files/1/0441/0654/7352/files/metal_carbonyls_nptel.pdf
    • https://cdn.shopify.com/s/files/1/0435/9307/2808/files/2011_ford_f150_owners_manual.pdf
    • https://cdn.shopify.com/s/files/1/0449/3859/2424/files/malayala_manorama_calendar_may_2020.pdf
    • https://cdn.shopify.com/s/files/1/0433/7221/6483/files/97688847862.pdf
    • https://cdn.shopify.com/s/files/1/0429/4973/8650/files/87167572757.pdf
    • https://cdn.shopify.com/s/files/1/0429/2929/1427/files/35335442961.pdf
    • https://cdn.shopify.com/s/files/1/0432/7633/7318/files/functional_skills_english_level_2_book.pdf
    • https://cdn.shopify.com/s/files/1/0430/4227/5485/files/51492647524.pdf
    • https://cdn.shopify.com/s/files/1/0431/8917/4432/files/chocobo_theme_flute_sheet_music.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00005118.bin
4e34c76a39071a8238ac75212b3c0a0046e0021c1c25a3ec2d625a2fa56f523d		 pdf-font-stream PDF embedded font (sfnt) at offset 0x5118 5344 bytes
font_01_sfnt_off0000635a.bin
27c55edc271caf14040399c9d0e7e8349f11d826fed56c6a99303e979087462e		 pdf-font-stream PDF embedded font (sfnt) at offset 0x635A 9832 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.