Malicious PDF — malware analysis report

Static analysis result for SHA-256 a37061d7d3e77f1c…

MALICIOUS

PDF

48.1 KB Created: 2020-09-01 06:46:01 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 4b9d85bc5c972ada1d3aba287711d60c SHA-1: 95e2f6409a308d30783f22edc3a34b96a5f94f6f SHA-256: a37061d7d3e77f1c0bae77f19353edce95ea8c74cd8e6b88583ab95f46f0ca60
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF file contains a heuristic firing for a malicious redirector link, pointing to a URL that impersonates a Walmart Black Friday ad. This suggests a phishing or malware distribution attempt. The document body, though heavily obfuscated, contains the same lure text and URLs, reinforcing the malicious intent. No scripts were extracted from this sample.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.me/wix?keyword=walmart+black+friday+2018+ad
    • https://static.usrfiles.com/ugd/b8c837_910e7a75e1584e87aaf707987ae68d13.pdf
    • https://static.usrfiles.com/ugd/3b7182_1fd6bfce2cd74498b28c9fb845367826.pdf
    • https://static.usrfiles.com/ugd/7baf93_3023ce1f782d43d9a4b9b479d4f92e3a.pdf
    • https://static.usrfiles.com/ugd/b8c837_b832b9a38e744de4ad2ae6d6bb618ed0.pdf
    • https://cdn.shopify.com/s/files/1/0433/7218/3703/files/95809033423.pdf
    • https://cdn.shopify.com/s/files/1/0462/1228/4570/files/jifekowedosan.pdf
    • https://cdn.shopify.com/s/files/1/0437/1467/4841/files/contextcompat._checkselfpermission_in_android.pdf
    • https://cdn.shopify.com/s/files/1/0434/8978/8069/files/wozezepovixozagomoxefo.pdf
    • https://cdn.shopify.com/s/files/1/0433/2240/9125/files/tixinaniwibesivu.pdf
    • https://cdn.shopify.com/s/files/1/0432/8646/2628/files/97141478552.pdf
    • https://cdn.shopify.com/s/files/1/0440/2642/9605/files/lakowitotapeg.pdf
    • https://cdn.shopify.com/s/files/1/0431/3900/6618/files/48867199455.pdf
    • https://cdn.shopify.com/s/files/1/0430/6262/4417/files/aghori_vidya_in_marathi.pdf
    • https://cdn.shopify.com/s/files/1/0449/2951/5687/files/kasekeg.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00006c07.bin
81254b449a8c9fbf294083132b11cbf5f0d0fa974179e1453b5d352a0a005f61		 pdf-font-stream PDF embedded font (sfnt) at offset 0x6C07 5828 bytes
font_01_sfnt_off00007fe9.bin
af361ea1048890ec28bb77f68781b9cc6fa0a9ce5131fee3cc6418192f633316		 pdf-font-stream PDF embedded font (sfnt) at offset 0x7FE9 16232 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.