Malicious PDF — malware analysis report

Static analysis result for SHA-256 53d764a406d3af87…

MALICIOUS

PDF

38.7 KB Created: 2020-09-05 21:04:35 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 8dbc55a650b363d0bf0a5e2c1a4854a6 SHA-1: 30731a7164c4747dd16ffc9b2ffd2e90aeba4615 SHA-256: 53d764a406d3af8756a0f1af95458beff6b394b0519d15c8b8dcacc21b087beb
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF file contains a link farm and a specific redirector link that is flagged as malicious. The document body, though heavily corrupted, contains text related to an 'application form' and the malicious URL. The primary attack vector appears to be social engineering through a deceptive link, leading to a malicious redirector.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.link/wix?keyword=playground+leaders+application+form
    • https://cdn.shopify.com/s/files/1/0438/0144/4512/files/18972871685.pdf
    • https://cdn.shopify.com/s/files/1/0430/8877/3269/files/39682224693.pdf
    • https://cdn.shopify.com/s/files/1/0463/3552/5025/files/gopotetol.pdf
    • https://cdn.shopify.com/s/files/1/0429/7926/2623/files/candy_crush_hacked_apk_2019.pdf
    • https://cdn.shopify.com/s/files/1/0440/7469/6856/files/wavivezusen.pdf
    • https://static.usrfiles.com/ugd/b8c837_161157c80ca949628ceda4d1d843ee1f.pdf
    • https://static.usrfiles.com/ugd/0dd040_eb970a6f671340ed9e4150f6962bb9a1.pdf
    • https://static.usrfiles.com/ugd/b8c837_3c5f368928b049d584ceedda96fac2e1.pdf
    • https://cdn.shopify.com/s/files/1/0431/3910/4917/files/41332114959.pdf
    • https://cdn.shopify.com/s/files/1/0435/9903/6579/files/best_architecture_books.pdf
    • https://cdn.shopify.com/s/files/1/0437/7303/4657/files/deligozafemevafupirixipoj.pdf
    • https://cdn.shopify.com/s/files/1/0463/2379/4077/files/monaloluzivafejim.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000058cf.bin
ed9ea82c365bf01f965e6b8226e6ebb46d6f5964b6b8ab6e0641f224832c294e		 pdf-font-stream PDF embedded font (sfnt) at offset 0x58CF 5576 bytes
font_01_sfnt_off00006bca.bin
6e9e0deea93bec00c76813a6f8b2970ce7aaf35b3aed376447f4e5120fcfb436		 pdf-font-stream PDF embedded font (sfnt) at offset 0x6BCA 10060 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.