Malicious PDF — malware analysis report

Static analysis result for SHA-256 4d3e710565b7d0de…

MALICIOUS

PDF

79.1 KB Created: 2020-09-22 11:45:29 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 4e16930c3aa3306ce863c8a2b23588c5 SHA-1: f40cfe36ef5619559fabcc49bc61f6adafe95ca7 SHA-256: 4d3e710565b7d0de181712a6ae03e098d28df62cccb6acb536393f453ffdad66
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF file contains a large number of embedded links, with the primary link pointing to a known malicious redirector. This suggests the document is designed to lure users into clicking malicious URLs. The presence of a link farm indicates a broad attempt to distribute malicious content, likely for phishing or malware delivery. No scripts were extracted from this sample.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.club/wix?keyword=%25D8%25AF%25D8%25A7%25D9%2586%25D9%2584%25D9%2588%25D8%25AF+%25D9%2587%25D8%25A7%25D8%25AA+%25D8%25A7%25D8%25B3%25D9%25BE%25D8%25A7%25D8%25AA+%25D8%25B4%25DB%258C%25D9%2584%25D8%25AF+%25D9%2588%25DB%258C%25D9%2586%25D8%25AF%25D9%2588%25D8%25B2+%25DA%25A9%25D8%25B1%25DA%25A9+%25D8%25B4%25D8%25AF%25D9%2587
    • https://201e4d95-708f-4e93-a09a-99c4d0d1fe9c.filesusr.com/ugd/ca32a8_48dc32aa24aa4ae6b9132abfc1e76c19.pdf?index=true
    • https://c32e535b-1ee8-48e7-99df-ae9e15d6a200.filesusr.com/ugd/838e7e_8cf6b97ef1304dc19b49a39d0efcb664.pdf?index=true
    • https://2363b109-23a4-4829-bbe8-88b3ef6962fc.filesusr.com/ugd/501a20_7010ba3d8c354f49ad5414dccbcd6d02.pdf?index=true
    • https://40e15334-4ee3-4a3b-b497-8dfad8b5b5db.filesusr.com/ugd/76b6de_23dc3f04fde94a8eb338e6ae8d5f0d38.pdf?index=true
    • https://16093106-4156-48cc-9dbf-b8ca978f2925.filesusr.com/ugd/5f226b_a56f3e46056846989f1fe4cedfa66e98.pdf?index=true
    • https://cdn.shopify.com/s/files/1/0430/5790/5818/files/pevisejarofasil.pdf
    • https://cdn.shopify.com/s/files/1/0433/9020/6117/files/68861260038.pdf
    • https://cdn.shopify.com/s/files/1/0428/2449/9367/files/jukapal.pdf
    • https://cdn.shopify.com/s/files/1/0428/4655/2227/files/61053346944.pdf
    • https://cdn.shopify.com/s/files/1/0483/5269/0325/files/domavedes.pdf
    • https://cdn.shopify.com/s/files/1/0433/0687/7080/files/3359516262.pdf
    • https://cdn.shopify.com/s/files/1/0453/8872/6440/files/centrifugal_compressor_design_and_performance.pdf
    • https://cdn.shopify.com/s/files/1/0433/9499/0247/files/zogenoma.pdf
    • https://cdn.shopify.com/s/files/1/0434/7104/4774/files/86862926767.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • https://cdn.shopify.com/s/files/1/0433/9499/0247/file

Extracted artifacts 5

Files carved from inside the sample during analysis.

FilenameKindSourceSize
stream_007_off0000f579.bin
757273897ff5f51954ba8eba157f10423fd20f2ba0498cec03c919278b2d6e00		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0xF579 30316 bytes
font_00_sfnt_off000096f5.bin
09993d2ce77ab7fe1c497bbed63e771043a95cd474ce79d95a2a50e6ede8176b		 pdf-font-stream PDF embedded font (sfnt) at offset 0x96F5 6812 bytes
font_01_sfnt_off0000a82a.bin
eeb5e31d71f00cead1fc940f0cd48c64d31cc2a9b3bda03c141aa0d4294f0e86		 pdf-font-stream PDF embedded font (sfnt) at offset 0xA82A 4068 bytes
font_02_sfnt_off0000b608.bin
cbc1059ac873a37d3c61cfcfffcad9e67dda30e304b7651875e2aadc87853b34		 pdf-font-stream PDF embedded font (sfnt) at offset 0xB608 10212 bytes
font_03_sfnt_off0000d951.bin
1051d9bcbb16b0332434fc3f8cc2aebcf01a8be87fa291250ccbe39e0d25d128		 pdf-font-stream PDF embedded font (sfnt) at offset 0xD951 18428 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.