Malicious PDF — malware analysis report

Static analysis result for SHA-256 a047e7c3b634b1a5…

MALICIOUS

PDF

63.8 KB Created: 2020-08-31 00:44:07 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 4d14d91d762624052edbcb3e1168be31 SHA-1: a253490e146e6bff0b0c4a20aa55d7f4361f1408 SHA-256: a047e7c3b634b1a5737d4d3eb62bb493aa3246d5d532b68a31ea9c2ead0cb744
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF file contains a large number of embedded links, many of which point to a redirector URL. The document body text, though heavily obfuscated, contains a reference to 'sales and distribution management pdf free download' and the malicious URL. This suggests a social engineering lure to trick users into clicking the link, which then redirects to malicious infrastructure.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.cc/wix?keyword=sales+and+distribution+management+pdf+free+download
    • https://cdn.shopify.com/s/files/1/0429/7624/7971/files/torajomugan.pdf
    • https://cdn.shopify.com/s/files/1/0429/1274/3580/files/60517471579.pdf
    • https://cdn.shopify.com/s/files/1/0435/9149/9935/files/bofinedos.pdf
    • https://cdn.shopify.com/s/files/1/0429/5645/6095/files/97733613450.pdf
    • https://cdn.shopify.com/s/files/1/0437/0890/7688/files/54838998785.pdf
    • https://cdn.shopify.com/s/files/1/0438/1887/7085/files/33577855668.pdf
    • https://static.usrfiles.com/ugd/3dd68e_e9f217ea1aa44908a9841572efe3415e.pdf
    • https://static.usrfiles.com/ugd/b8c837_6dd4ad6a5c9541858a7f45dee7796066.pdf
    • https://static.usrfiles.com/ugd/0df15e_354c268514894e63982fcff3de519ca6.pdf
    • https://static.usrfiles.com/ugd/b5472a_4b570142714c441a88661a7390c674c7.pdf
    • https://static.usrfiles.com/ugd/b8c837_9204bb1157ed4d6c8c1fa81ea7f6baa1.pdf
    • https://static.usrfiles.com/ugd/07625c_9a6aafc1b44d4620a4243f8099c384d3.pdf
    • https://static.usrfiles.com/ugd/b8c837_0419c8aeb5ec492f8cc11bcc2c441d79.pdf
    • https://static.usrfiles.com/ugd/b56239_a3748850bcb74b2f8e4c33b8381d5d94.pdf
    • https://static.usrfiles.com/ugd/b8c837_1419d63d92f34f3ca6cab4cd2a702b00.pdf
    • https://static.usrfiles.com/ugd/6203b9_d9b3519c1ffe431ea73eb9e799220502.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000add3.bin
5d324d4a90d051f74bfecbc3b3c33444d3e82632707184dccf854c3014054d79		 pdf-font-stream PDF embedded font (sfnt) at offset 0xADD3 5580 bytes
font_01_sfnt_off0000c0ac.bin
8eb138d91d51c70473e1599e9bdd3879908cd2935ceb5cf6a5f5c35bb967b8d5		 pdf-font-stream PDF embedded font (sfnt) at offset 0xC0AC 10096 bytes
font_02_sfnt_off0000e353.bin
cd94ef65598b1866d0653cdd88243d989fd81359c0e770c2d3a4858f1c2f6d34		 pdf-font-stream PDF embedded font (sfnt) at offset 0xE353 4324 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.