Malicious PDF — malware analysis report

Static analysis result for SHA-256 9afc9be931a7432a…

MALICIOUS

PDF

54.9 KB Created: 2020-09-09 09:20:12 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 1328a43a964fc9828df8ee883ca7832a SHA-1: 432cabd9cafe89671b39d1e48b18b47f335817a9 SHA-256: 9afc9be931a7432abf3b185d750d5e5f5be006e539d3e9f858c31ba0dd4ed937
140 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF contains a mass external link farm, with one critical heuristic identifying a link to known malicious redirector infrastructure. The document body also contains text related to 'Aetna answer team contact' and a URL that appears to be part of a phishing lure. The presence of numerous PDF links, many hosted on cdn.shopify.com, suggests an attempt to obscure the final malicious destination and potentially engage in SEO manipulation for better reach.

Heuristics 4

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Callback phishing phone lure medium SE_CALLBACK_LURE
    Document asks the user to call a phone number in billing, refund, subscription, fraud, or security context — consistent with callback phishing or tech-support scam patterns
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.link/pify?keyword=aetna+answer+team+contact
    • https://cdn.shopify.com/s/files/1/0432/0103/6443/files/wubegudadarojuwopa.pdf
    • https://cdn.shopify.com/s/files/1/0429/5249/1159/files/wumevofefukifexetisekowum.pdf
    • https://cdn.shopify.com/s/files/1/0436/7728/6553/files/vutojumanoliminozupimelev.pdf
    • https://cdn.shopify.com/s/files/1/0434/0331/3315/files/messenger_lite_apk_apk.pdf
    • https://static.usrfiles.com/ugd/4fea5c_5c400defc5424ef8821964e1bc3ae769.pdf
    • https://static.usrfiles.com/ugd/b8c837_edb9d486f54e45719e2945602168d400.pdf
    • https://static.usrfiles.com/ugd/469aea_6cfadec516744086af3f8bc446564c07.pdf
    • https://static.usrfiles.com/ugd/576447_a845a0bfc6c0444a9b15a6e55b0de3ce.pdf
    • https://static.usrfiles.com/ugd/fe83c3_4e8dc7f981764ea48e84a8ac0fc27fd1.pdf
    • https://static.usrfiles.com/ugd/b8c837_1426225cefd9417493bf0331e6b88b03.pdf
    • https://static.usrfiles.com/ugd/95b9ea_7de77252791d4a65bca4d672ada974a4.pdf
    • https://static.usrfiles.com/ugd/dcbeda_31bd2978181c4bc8ab19bb9d5f73e047.pdf
    • https://static.usrfiles.com/ugd/a771bd_8f5b09f08e1e4b04a42ac441d78b2c7a.pdf
    • https://cdn.shopify.com/s/files/1/0431/6990/6854/files/pezidunomidimazija.pdf
    • https://cdn.shopify.com/s/files/1/0437/2702/8375/files/comment_rdiger_une_autobiographie.pdf
    • https://cdn.shopify.com/s/files/1/0449/0670/9159/files/iodine_value.pdf
    • https://cdn.shopify.com/s/files/1/0427/7813/2636/files/90461660749.pdf
    • https://cdn.shopify.com/s/files/1/0432/5054/8899/files/arcsight_tutorial.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
stream_005_off0000b34b.bin
2a291e3de9ec19ddde8fbadf49f785fa54d9628f2129c80cdc1a75f047e3964f		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0xB34B 17748 bytes
font_00_sfnt_off000071d2.bin
d1b6388b4c222303d2ad96e6d4867c511ee6916bbc663111004431a4f6fb907b		 pdf-font-stream PDF embedded font (sfnt) at offset 0x71D2 4996 bytes
font_01_sfnt_off000082c6.bin
f7bb52e2093d3b56d5494ba40eec36a00024c210456db5071d8beb9207629c11		 pdf-font-stream PDF embedded font (sfnt) at offset 0x82C6 15596 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.