Malicious PDF — malware analysis report

Static analysis result for SHA-256 9e2d5d46e050ef2e…

MALICIOUS

PDF

39.5 KB Created: 2020-08-15 18:33:03 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 3af4b2d1b64c1eddac11a643312198f3 SHA-1: 15f4c1c7608d1ca86219aa654222001aad30f33b SHA-256: 9e2d5d46e050ef2e8f7d01a7b5fa6783ea015e45b36620a320ddf55da71223c2
148 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell T1204.002 Malicious Link

The PDF file contains a malicious redirector link disguised as a free iPhone app converter, which is a common lure for phishing or malware delivery. The document body and heuristics indicate an attempt to drive users to external sites, with one URL pointing to known malicious infrastructure. The presence of numerous links, many hosted on Shopify, suggests a link farm designed to improve SEO for malicious content.

Heuristics 5

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Callback phishing phone lure medium SE_CALLBACK_LURE
    Document asks the user to call a phone number in billing, refund, subscription, fraud, or security context — consistent with callback phishing or tech-support scam patterns
  • Urgency / deadline lure low SE_URGENCY_LURE
    Document contains urgency or deadline language ('account will be terminated', 'action required within 24 hours', etc.) — useful context, but low-signal without other findings
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.com/wb?keyword=convert%20to%20pdf%20free%20iphone%20app
    • http://files.edenshalefarm.com/uploads/1/3/0/7/130739285/d4be181a3b4f.pdf
    • http://files.sampevclt.org/uploads/1/3/2/6/132695258/99d5558dc7cf8d.pdf
    • https://cdn.shopify.com/s/files/1/0437/8938/5885/files/cage_dive_full_movie.pdf
    • https://cdn.shopify.com/s/files/1/0427/8432/5798/files/29572799175.pdf
    • https://cdn.shopify.com/s/files/1/0433/4845/9673/files/kudiredifutususuk.pdf
    • https://cdn.shopify.com/s/files/1/0435/3340/2266/files/lavejomovumoremijozawup.pdf
    • https://cdn.shopify.com/s/files/1/0431/0922/0501/files/dumelesotusefu.pdf
    • https://cdn.shopify.com/s/files/1/0440/4376/3862/files/48682286350.pdf
    • https://cdn.shopify.com/s/files/1/0431/4392/1820/files/smell_verb_all_forms.pdf
    • https://cdn.shopify.com/s/files/1/0430/0118/4417/files/xanunedujibitulejewiku.pdf
    • https://cdn.shopify.com/s/files/1/0433/2044/3045/files/87688732446.pdf
    • https://cdn.shopify.com/s/files/1/0432/5851/1522/files/49946457062.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00005cc0.bin
d0f33cf63c009c22b69362df8f2faa3acc70f4de2faca42b7875d4920c73c2f1		 pdf-font-stream PDF embedded font (sfnt) at offset 0x5CC0 4884 bytes
font_01_sfnt_off00006d5b.bin
cecee04f9272d3632921ad5fe72d492481ae5c887e56030e781aa42863cd8cf1		 pdf-font-stream PDF embedded font (sfnt) at offset 0x6D5B 10480 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.