Malicious PDF — malware analysis report

Static analysis result for SHA-256 a09e03c34ae7fce7…

MALICIOUS

PDF

52.7 KB Created: 2020-08-31 02:15:33 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 730d6537551759ea683a7f66b7d60174 SHA-1: eca6aa32e34fd8b2d6a6f6f4b254b693024c0c3a SHA-256: a09e03c34ae7fce75cab5c19552f6e7aaebe8e387db45abc63921d05a28fccaa
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF file contains a significant number of embedded links, many of which point to shopify.com domains, but one critical link directs to a known malicious redirector. This suggests a phishing or scam attempt where the user is enticed to click on the malicious link, likely leading to further compromise. The document body contains garbled text but also includes the malicious URL, reinforcing the attack vector.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.cc/wix?keyword=asagao+to+kase-+san+movie
    • https://cdn.shopify.com/s/files/1/0430/0541/1481/files/rolerokajopupogapij.pdf
    • https://cdn.shopify.com/s/files/1/0429/1805/1996/files/x-_files_s10e01.pdf
    • https://cdn.shopify.com/s/files/1/0435/8035/8815/files/persona_3_pine_resin.pdf
    • https://cdn.shopify.com/s/files/1/0431/5293/3021/files/47513757362.pdf
    • https://static.usrfiles.com/ugd/5d2cf3_cfc25c058c1f45eb9a54cbea43088044.pdf
    • https://static.usrfiles.com/ugd/3aca14_90fabbea9b7e4026a049abaea23c21db.pdf
    • https://static.usrfiles.com/ugd/45e30f_a40ef8b980ad45b088d0b24600c783bd.pdf
    • https://static.usrfiles.com/ugd/e6092c_5f392ced8a1a4a20890e45a87740ecd3.pdf
    • https://cdn.shopify.com/s/files/1/0437/4721/3464/files/wevezuxuwefosemogi.pdf
    • https://cdn.shopify.com/s/files/1/0428/8492/3555/files/self_certification_fit_note_form.pdf
    • https://cdn.shopify.com/s/files/1/0428/9835/8432/files/53293114795.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00006529.bin
b6a9041dd1bd1560c7dc17b0d993b80955e789cc4cf36c21f9cfb8681a83e8ad		 pdf-font-stream PDF embedded font (sfnt) at offset 0x6529 12712 bytes
font_01_sfnt_off00008f26.bin
054198db93076ae6ea8e9bc456ec6cde67b8835521849f63338106a57c830d6a		 pdf-font-stream PDF embedded font (sfnt) at offset 0x8F26 5020 bytes
font_02_sfnt_off0000a039.bin
20100652bc35ed14e9023e71f3b6ac8a92b6a5e4c43d9bbb3c4bc3698c686d57		 pdf-font-stream PDF embedded font (sfnt) at offset 0xA039 10564 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.