Malicious PDF — malware analysis report

Static analysis result for SHA-256 500e0cd3ebdb52ee…

MALICIOUS

PDF

37.6 KB Created: 2020-09-06 00:26:16 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 7d71d9b864958043285f6cdc5efa4677 SHA-1: efdc368c6596414449c8929c76df9864f4b2db2d SHA-256: 500e0cd3ebdb52ee4bf774b26192779c4be56b30cb14f1472d7c1b8a34c49f4c
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF file contains a mass external link farm, with many links pointing to benign Shopify URLs. However, one critical heuristic firing indicates a link to known malicious redirector infrastructure. The document body, though heavily obfuscated, contains a URL that matches the malicious redirector. This suggests the document's primary purpose is to redirect users to malicious sites under the guise of providing a tutorial.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.club/wix?keyword=reality+capture+tutorial+pdf
    • https://cdn.shopify.com/s/files/1/0428/0126/6851/files/megad.pdf
    • https://cdn.shopify.com/s/files/1/0430/3867/1010/files/carnival_corporation_annual_report_2018.pdf
    • https://cdn.shopify.com/s/files/1/0432/4163/5997/files/10079324146.pdf
    • https://cdn.shopify.com/s/files/1/0430/7206/1591/files/zutaritobuwagodofonil.pdf
    • https://cdn.shopify.com/s/files/1/0433/4488/7963/files/jumalolap.pdf
    • https://cdn.shopify.com/s/files/1/0434/1514/2551/files/chips_challenge_download.pdf
    • https://cdn.shopify.com/s/files/1/0432/1050/6404/files/dorixipudiganunibuf.pdf
    • https://cdn.shopify.com/s/files/1/0462/7755/8432/files/zinenoruvuwuwemani.pdf
    • https://cdn.shopify.com/s/files/1/0435/8366/8392/files/ben_10_afrikaans_song.pdf
    • https://cdn.shopify.com/s/files/1/0436/5893/6473/files/dipetoremomajezo.pdf
    • https://cdn.shopify.com/s/files/1/0429/2775/1321/files/let_it_be_piano_free_sheet_music.pdf
    • https://cdn.shopify.com/s/files/1/0440/2806/7990/files/72751766441.pdf
    • https://static.usrfiles.com/ugd/d01287_102c71e3ee1044e289d926c061cf844d.pdf
    • https://static.usrfiles.com/ugd/429b25_42ac0a87e39f4a28a6a91f656f6af85f.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00005453.bin
c716c015ee9b932b8ccd3cb28a50d98664b4f6898aa022b7a23216d3dbd00870		 pdf-font-stream PDF embedded font (sfnt) at offset 0x5453 5080 bytes
font_01_sfnt_off000065c0.bin
2265ac67e83bc53a7fcb5f9c1dc696094e2551594692ce407875d4fb727f8b53		 pdf-font-stream PDF embedded font (sfnt) at offset 0x65C0 10628 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.