Malicious PDF — malware analysis report

Static analysis result for SHA-256 7a0135711d6a91d2…

MALICIOUS

PDF

81.3 KB Created: 2020-09-02 16:21:34 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: d06a0fe6e82bf860f04095af393eba39 SHA-1: 1aca92b7f32b574e43b4f8abca8d95008b3dff5c SHA-256: 7a0135711d6a91d23373cb030dfa4cfc82c4c46afddf3d207e0d9264f2dd64fb
128 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell T1204.002 Malicious Link

The PDF file contains a critical heuristic firing for a malicious redirector link, pointing to 'https://ttraff.link/wix?keyword=campaign+finance+reform+examples'. Additionally, it exhibits characteristics of a PDF link farm, with numerous embedded links, including one to 'https://cdn.shopify.com/s/files/1/0435/3359/8880/files/kepaxinaxis.pdf'. The document body, though heavily obfuscated, contains text related to campaign finance reform and the malicious URL, suggesting a lure to a potentially malicious site.

Heuristics 4

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Urgency / deadline lure low SE_URGENCY_LURE
    Document contains urgency or deadline language ('account will be terminated', 'action required within 24 hours', etc.) — useful context, but low-signal without other findings
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.link/wix?keyword=campaign+finance+reform+examples
    • https://cdn.shopify.com/s/files/1/0435/3359/8880/files/kepaxinaxis.pdf
    • https://cdn.shopify.com/s/files/1/0437/2201/4870/files/tipigid.pdf
    • https://cdn.shopify.com/s/files/1/0435/2176/9627/files/naniw.pdf
    • https://cdn.shopify.com/s/files/1/0440/6598/0581/files/73619706366.pdf
    • https://static.usrfiles.com/ugd/0c4177_159baa3400af46e0a415ab2e951744a3.pdf
    • https://static.usrfiles.com/ugd/954c8b_94a059f33e724dcdaa82bbf6e365b50f.pdf
    • https://static.usrfiles.com/ugd/03a576_4a499b34648747d39ef8923411fe72a1.pdf
    • https://static.usrfiles.com/ugd/d5d855_b78d468873b541b6ac454ec08450b9be.pdf
    • https://static.usrfiles.com/ugd/c1615c_93dde386ece7440d9619fc7125959781.pdf
    • https://static.usrfiles.com/ugd/5bb01c_4f9baceda4284632942ce82a47529dc3.pdf
    • https://static.usrfiles.com/ugd/c0a468_d967dc6488254361964b77da87a20398.pdf
    • https://static.usrfiles.com/ugd/e1a791_50f1e98e186c4ebba8afff66766cdd2e.pdf
    • https://static.usrfiles.com/ugd/83b1b3_4f64ab3460dd4020a303ed6c790627b7.pdf
    • https://static.usrfiles.com/ugd/b8c837_0cb7f8b2e54842298383683189af6eff.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00010064.bin
2b1787ce58101a81ae783bd59e82fce872b0b34392ecf5085a4d57b78e64defb		 pdf-font-stream PDF embedded font (sfnt) at offset 0x10064 5308 bytes
font_01_sfnt_off00011267.bin
4fee7ba5f25b2fac0f5da3b5dc9d54a6ca11a097047ef0545e204463bfca4c1c		 pdf-font-stream PDF embedded font (sfnt) at offset 0x11267 11440 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.