Malicious PDF — malware analysis report

Static analysis result for SHA-256 ad867dc5ecc40207…

MALICIOUS

PDF

35.1 KB Created: 2020-09-06 01:16:06 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 647bd1266f0fa521f5b83d596ed8ed3d SHA-1: 91baa57b6f13e2b75455703c13e45a2c764f7953 SHA-256: ad867dc5ecc40207ef7ec1f167c7287207621e19a66ad51cce73d86a26e38f22
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF file contains multiple embedded URLs, with one identified as a malicious redirector. The document body, though partially corrupted, contains text related to 'free 5x7 flat card template' and the malicious URL, suggesting a lure. The heuristic PDF_MALICIOUS_REDIRECTOR_LINK confirms the presence of a link to known malicious infrastructure. The PDF_SEO_LINK_FARM heuristic indicates a large number of external PDF links, likely for SEO manipulation or to host further malicious content.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.link/wix?keyword=free+5x7+flat+card+template
    • https://cdn.shopify.com/s/files/1/0433/0687/7080/files/13002849425.pdf
    • https://cdn.shopify.com/s/files/1/0432/6454/0840/files/sagubibonamesaf.pdf
    • https://cdn.shopify.com/s/files/1/0437/5271/8494/files/63278397221.pdf
    • https://cdn.shopify.com/s/files/1/0427/9812/1119/files/xojej.pdf
    • https://cdn.shopify.com/s/files/1/0436/2679/1075/files/57063712425.pdf
    • https://static.usrfiles.com/ugd/c4ccc4_6e9733f359484fb4b0ff89ac5e886f06.pdf
    • https://static.usrfiles.com/ugd/77d535_853da45586fc4428bb61e0fd03092e9d.pdf
    • https://static.usrfiles.com/ugd/01bc73_67bc8406365f418f868a6b3438c35fc1.pdf
    • https://static.usrfiles.com/ugd/1d64af_3fed5010d5104971bcfc6d763c044ccb.pdf
    • https://static.usrfiles.com/ugd/ca300b_cd93b45bd09d4482bef09752f2d4aea8.pdf
    • https://static.usrfiles.com/ugd/7c3584_6b9573dbcd574360a4a0aa2f8946f26b.pdf
    • https://static.usrfiles.com/ugd/78daac_c16790d7853248ef9e87f5db3308fb37.pdf
    • https://static.usrfiles.com/ugd/66f7a0_77469d7254e24763bd8c25c130a2fad6.pdf
    • https://static.usrfiles.com/ugd/ebc5f9_2213f54248a44464a9a2858844555465.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00004cb8.bin
50f2ffcf96f7f7ff91c5868d722dd0b517ec9ef2a52a045ab951e0853297fc71		 pdf-font-stream PDF embedded font (sfnt) at offset 0x4CB8 5348 bytes
font_01_sfnt_off00005ee5.bin
dcfb4a408ed337a7433bc283e5a873b8be0b638522ffaac1ec17149cb3b8dcaf		 pdf-font-stream PDF embedded font (sfnt) at offset 0x5EE5 9736 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.