Malicious PDF — malware analysis report

Static analysis result for SHA-256 a65a803f99fe7224…

MALICIOUS

PDF

39.1 KB Created: 2020-08-31 11:07:33 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 531f8c462c30b99e8ce15c5edbf14ca2 SHA-1: a2b8601d7c0d1dc8b142e6cfac21be1c86419f25 SHA-256: a65a803f99fe72249a19acfec3b1aef4e7320885c452daffac5da17ad9d7d6d6
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF file contains a significant number of embedded links, with one pointing to a known malicious redirector. The document body is heavily obfuscated but contains references to the malicious URL and other benign-looking PDF files hosted on Shopify and usrfiles.com. This suggests a link farm or SEO manipulation tactic, likely designed to lead users to malicious content.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.com/wix?keyword=empire+total+factions
    • https://cdn.shopify.com/s/files/1/0434/2457/9736/files/27997999511.pdf
    • https://cdn.shopify.com/s/files/1/0434/3490/1660/files/57283308584.pdf
    • https://cdn.shopify.com/s/files/1/0432/2902/0317/files/nolaxewavufepijogaluve.pdf
    • https://cdn.shopify.com/s/files/1/0433/9623/5415/files/99915918257.pdf
    • https://static.usrfiles.com/ugd/b8c837_246c0046a4ab40f8b875618f3232a841.pdf
    • https://static.usrfiles.com/ugd/b8c837_675826b6c0e14a5c887689b8dad0a5f5.pdf
    • https://static.usrfiles.com/ugd/7d21c0_e59daa3a51fb45a09c9ca39e41746d87.pdf
    • https://static.usrfiles.com/ugd/b8c837_4122a60ba22740319772efdb9658b1f8.pdf
    • https://static.usrfiles.com/ugd/b8c837_a97c488d32be40fe8217e8406d7f95f4.pdf
    • https://static.usrfiles.com/ugd/529dbf_371f16e89daa4a27a6a71a6e9f7a799d.pdf
    • https://static.usrfiles.com/ugd/b8c837_549123141001403491d6a258a04bf734.pdf
    • https://static.usrfiles.com/ugd/b8c837_5bf4dab0dfd444e192a58c4f1850617d.pdf
    • https://static.usrfiles.com/ugd/b8c837_eea862f89f4e476b905f8d61a6bb3ff7.pdf
    • https://cdn.shopify.com/s/files/1/0429/2437/6227/files/heretofore_crossword_puzzle_answer.pdf
    • https://cdn.shopify.com/s/files/1/0437/9597/2256/files/28157881880.pdf
    • https://cdn.shopify.com/s/files/1/0433/0605/7888/files/47138661734.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00005c08.bin
40998258cfa88c28ca0917ed35fa5243e2283d3f62d2dc26704ca768d2360a38		 pdf-font-stream PDF embedded font (sfnt) at offset 0x5C08 5120 bytes
font_01_sfnt_off00006d57.bin
fca5dc4d3d30c08b05289100d16cb366d144be0404b527672b1097cb9c6598e2		 pdf-font-stream PDF embedded font (sfnt) at offset 0x6D57 10024 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.