Malicious PDF — malware analysis report

Static analysis result for SHA-256 ac7250926d2a4308…

MALICIOUS

PDF

36.8 KB Created: 2020-10-17 01:31:41 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 4b5e6d8bc900466a1bd04ad5138a8492 SHA-1: 9bfa617d4c6d650b9532a3f2545ee17ca31e9bef SHA-256: ac7250926d2a430844e5a7a7bee42f1067f893b206d71c6d275fa9e4319d3c09
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF contains a large number of embedded links, with one specifically identified as a malicious redirector. The document body, though heavily obfuscated, contains references to the redirector URL and other benign-looking PDFs hosted on Shopify and Strikingly. This suggests a link farm or redirection tactic to distribute malicious content or manipulate search engine results.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.ru/123?keyword=querido+john+pdf+nicholas+sparks
    • https://cdn-cms.f-static.net/uploads/4366385/normal_5f875c6e5394b.pdf
    • https://cdn-cms.f-static.net/uploads/4369316/normal_5f87d36fea865.pdf
    • https://cdn-cms.f-static.net/uploads/4365575/normal_5f8709d80c8f2.pdf
    • https://cdn-cms.f-static.net/uploads/4365662/normal_5f8a163e932bd.pdf
    • https://cdn-cms.f-static.net/uploads/4366317/normal_5f87263876e95.pdf
    • https://cdn-cms.f-static.net/uploads/4366632/normal_5f871bd46148e.pdf
    • https://cdn-cms.f-static.net/uploads/4366949/normal_5f8a0c2e64f5b.pdf
    • https://cdn-cms.f-static.net/uploads/4366647/normal_5f877679e37bc.pdf
    • https://cdn.shopify.com/s/files/1/0476/9493/8271/files/fear_inventory_aa.pdf
    • https://cdn.shopify.com/s/files/1/0497/0984/2589/files/music_theory_net.pdf
    • https://cdn.shopify.com/s/files/1/0431/7125/0333/files/bim_handbook_espaol.pdf
    • https://uploads.strikinglycdn.com/files/4267878c-647d-4a42-a2d6-34d56e252d56/gugodisetun.pdf
    • https://uploads.strikinglycdn.com/files/8223ee0d-04ed-4d72-bce9-035cca2c7106/govifuposeledi.pdf
    • https://uploads.strikinglycdn.com/files/77d78942-2f79-4007-9589-416ab7a62102/dazurib.pdf
    • https://cdn.shopify.com/s/files/1/0497/6050/1921/files/swantex_napkins_3_ply.pdf
    • https://cdn.shopify.com/s/files/1/0498/2240/0674/files/vomax.pdf
    • https://cdn.shopify.com/s/files/1/0496/5990/4157/files/2157112606.pdf
    • https://cdn.shopify.com/s/files/1/0497/8494/6850/files/97708224071.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00004e22.bin
c16a5439837d92247ec728934a952ddc63c3c6cc4954f59b3acdc6e764aa3944		 pdf-font-stream PDF embedded font (sfnt) at offset 0x4E22 5444 bytes
font_01_sfnt_off000060a1.bin
b1eda02a96834fad1ad8d60750af910e80398c741a23ba34765be495e60f2217		 pdf-font-stream PDF embedded font (sfnt) at offset 0x60A1 10476 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.