Malicious PDF — malware analysis report

Static analysis result for SHA-256 4e4d6740c0af5509…

MALICIOUS

PDF

41.2 KB Created: 2020-08-30 11:42:17 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 3ade880c2557c3bd39b99cd441d52284 SHA-1: 53aa293e168db9208d3b74e3c6af652f4173c363 SHA-256: 4e4d6740c0af5509131a579f130fe7639fead81f88c438ec309af3dfd5c005e2
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF file contains a link farm and a specific URL that is flagged as a malicious redirector. The document body, though heavily obfuscated, contains text related to 'Star trek countdown collection volume 1' and the malicious URL, suggesting a lure to entice users to click the link. The presence of numerous external PDF links further supports the SEO link farm heuristic, indicating an attempt to manipulate search engine results or distribute content through a large number of linked documents.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.com/wix?keyword=star+trek+countdown+collection+volume+1
    • https://static.usrfiles.com/ugd/b8c837_3bc19c4b22e94fb09da987312d9a7df4.pdf
    • https://static.usrfiles.com/ugd/804ff6_7f46d812505e4ec48be3298107bcacb1.pdf
    • https://static.usrfiles.com/ugd/affaa6_84db987a89c64db9ba134269ecd6b46e.pdf
    • https://static.usrfiles.com/ugd/be19e1_805eb9d0dc1e41659055dd785e118d5d.pdf
    • https://static.usrfiles.com/ugd/565485_97b645bb66b24a9eae8ee8d79a89264e.pdf
    • https://static.usrfiles.com/ugd/b8c837_9f5cb8898cb2475daaf71e0dc8e3a51c.pdf
    • https://static.usrfiles.com/ugd/b8c837_0252aac7b25f41178d4ae09497bf6393.pdf
    • https://cdn.shopify.com/s/files/1/0431/9205/8005/files/11713654502.pdf
    • https://cdn.shopify.com/s/files/1/0430/2431/8618/files/15838067881.pdf
    • https://cdn.shopify.com/s/files/1/0433/0212/5733/files/dofulujafepilat.pdf
    • https://cdn.shopify.com/s/files/1/0438/4836/8288/files/jelibajijamekovarir.pdf
    • https://cdn.shopify.com/s/files/1/0440/4586/1014/files/romimogawopawopuxuta.pdf
    • https://cdn.shopify.com/s/files/1/0435/3546/6655/files/73269209701.pdf
    • https://cdn.shopify.com/s/files/1/0450/4171/3310/files/pearson_btec_applied_science_level_3.pdf
    • https://cdn.shopify.com/s/files/1/0433/5904/3749/files/ninovuxugiwoziwalo.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000062d1.bin
9de8aae6487ba58f405e521a71505bdb1e8f67353bfc58f4d75b517252032c82		 pdf-font-stream PDF embedded font (sfnt) at offset 0x62D1 5280 bytes
font_01_sfnt_off000074c0.bin
4c83060cbb65d8f1298addf4205b099699af5c9f0d1e309476f81cfed293c4c2		 pdf-font-stream PDF embedded font (sfnt) at offset 0x74C0 10240 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.