Malicious PDF — malware analysis report

Static analysis result for SHA-256 a1e3be6ea203619f…

MALICIOUS

PDF

47.6 KB Created: 2020-09-17 14:42:32 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 484dcfc98d2920c039a3f10b51656f0a SHA-1: 3b69b26268b5a2579d904d1fe2dd0efb783e1d24 SHA-256: a1e3be6ea203619f1b91b244e45f137af7548e7097867bd756a04162dd5026b4
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF contains a heuristic firing for a malicious redirector link, which points to a URL designed to appear as a search result for 'graco turbobooster manual canada'. The document also contains a PDF link farm heuristic, indicating it's part of an SEO poisoning effort. The primary malicious IOC is the redirector URL, which is likely used to lead the user to a malicious site.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.me/wix?keyword=graco+turbobooster+manual+canada
    • https://cdn.shopify.com/s/files/1/0433/5819/1768/files/91104517213.pdf
    • https://cdn.shopify.com/s/files/1/0433/9207/3895/files/78985489659.pdf
    • https://cdn.shopify.com/s/files/1/0438/3558/8770/files/15612871059.pdf
    • https://cdn.shopify.com/s/files/1/0429/8565/2375/files/nh-_craigslist-_org_craigslist_tampa.pdf
    • https://cdn.shopify.com/s/files/1/0429/5147/5351/files/11938884718.pdf
    • https://cdn.shopify.com/s/files/1/0433/5045/8526/files/xomidoxidilurudisisovi.pdf
    • https://cdn.shopify.com/s/files/1/0431/2449/0397/files/58494783482.pdf
    • https://cdn.shopify.com/s/files/1/0428/9747/3699/files/51137237712.pdf
    • https://e9c5e164-e635-4079-b05c-2e2eac511ee6.filesusr.com/ugd/64e449_83930853ce00461485ca087b3767f570.pdf?index=true
    • https://cfc594f0-8ab4-4eb0-93ac-e7f0e956a322.filesusr.com/ugd/97aff7_8ed451e0ed974fb996a92dad7cce69c0.pdf?index=true
    • https://7eedaa87-c12a-40a1-8412-2501d0449535.filesusr.com/ugd/02631b_aa5dd933db8c41eaac74465c3e72de82.pdf?index=true
    • https://48b63249-50f1-475c-8bf6-a474ec3dfdfa.filesusr.com/ugd/03ae60_0c46b6d367c246e3890918d00a55d43a.pdf?index=true
    • https://f690463a-e30a-4828-bc57-1c23cd1b703b.filesusr.com/ugd/95b9ea_387fb694a9ed4328900caff19d5c7dbc.pdf?index=true
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00007d95.bin
ba438ec02af8f0f6e84d6b5d6a09fc9289679f7dfb2dc11a31e694fd534ccf60		 pdf-font-stream PDF embedded font (sfnt) at offset 0x7D95 5256 bytes
font_01_sfnt_off00008f5b.bin
c7a760e15cf5ade5e1772fdaadc55bb1440f43771795df943b9f68d1ccf9ed9c		 pdf-font-stream PDF embedded font (sfnt) at offset 0x8F5B 10044 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.