Malicious PDF — malware analysis report

Static analysis result for SHA-256 4d8e2e7e1e035991…

MALICIOUS

PDF

45.0 KB Created: 2020-08-22 12:59:58 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 47448e222a1b6fae1437030c27248110 SHA-1: 52f3e4d197f5d54ee1ae1152801e24e269f97f00 SHA-256: 4d8e2e7e1e03599128b59da439a57967c50c822f1220916176239f28ff8a068a
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF contains a large number of embedded links, many pointing to shopify.com domains, but one critical link directs to a known malicious redirector. The document body, though heavily obfuscated, contains the text "Autocad electrical drawings pdf" and the malicious URL, suggesting a lure to a phishing or malware distribution site. The presence of a malicious redirector link indicates the primary goal is to lead the user to a compromised or malicious resource.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.com/pify?keyword=autocad+electrical+drawings+pdf
    • http://files.absurdalternative.com/uploads/1/3/0/8/130814001/8308955.pdf
    • http://files.mezfantasypublishing.com/uploads/1/3/1/0/131070792/1273510.pdf
    • http://zorax.studiobmontana.com/uploads/1/3/2/8/132814930/4554370.pdf
    • https://cdn.shopify.com/s/files/1/0433/2873/3352/files/95448594396.pdf
    • https://cdn.shopify.com/s/files/1/0432/5038/5051/files/74064694873.pdf
    • https://cdn.shopify.com/s/files/1/0432/2417/0664/files/rawikuva.pdf
    • https://cdn.shopify.com/s/files/1/0428/8672/5795/files/95406364568.pdf
    • https://cdn.shopify.com/s/files/1/0429/7339/7145/files/95264590749.pdf
    • https://cdn.shopify.com/s/files/1/0433/3689/2584/files/11526293073.pdf
    • https://cdn.shopify.com/s/files/1/0429/6137/1290/files/97016214192.pdf
    • https://cdn.shopify.com/s/files/1/0433/0687/7080/files/26225030347.pdf
    • https://cdn.shopify.com/s/files/1/0435/2350/6336/files/kegilikixivakosugane.pdf
    • https://cdn.shopify.com/s/files/1/0437/2656/9633/files/rafadod.pdf
    • https://cdn.shopify.com/s/files/1/0434/7641/8720/files/44953501485.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000071a8.bin
eadd5ea28025a80e6be16bd329e48aabd08d3e87443b0dc671b2b6baa81bd976		 pdf-font-stream PDF embedded font (sfnt) at offset 0x71A8 5404 bytes
font_01_sfnt_off0000842a.bin
a02142123d021c18e89e6810cff65c96cced07fa14e6804bd2e46022bbcdee2e		 pdf-font-stream PDF embedded font (sfnt) at offset 0x842A 10352 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.