Malicious PDF — malware analysis report

Static analysis result for SHA-256 c7b9ec5edb450b95…

MALICIOUS

PDF

49.8 KB Created: 2020-09-04 15:48:44 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 3e722fb70fd57d988d79f641935d54a1 SHA-1: 4d696e05e4eab8856796eb5c2258899be92c37a1 SHA-256: c7b9ec5edb450b9518dd33bf4c36eafa916b22bc9c9594c28940ba2b46aefb8f
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF contains a large number of embedded links, many of which point to a redirector. The document body, though heavily obfuscated, contains a URL that appears to be part of a lure for a 'blank t shirt template'. This suggests the PDF is designed to trick users into clicking malicious links, likely for phishing or malware distribution.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.link/wix?keyword=blank+t+shirt+template+white
    • https://static.usrfiles.com/ugd/f84671_2668ac22223a4169868b7d2e0dcb854c.pdf
    • https://static.usrfiles.com/ugd/accd1f_27df5b0feef74ca494b06c6fac92a809.pdf
    • https://static.usrfiles.com/ugd/607883_af7f7bf613b842a1944363503f29c1c2.pdf
    • https://static.usrfiles.com/ugd/a107db_3e36e9a7d7514e5285737fff33aa10f2.pdf
    • https://static.usrfiles.com/ugd/67f5f7_3b2f728ea0484d248d1e19423d56a02d.pdf
    • https://static.usrfiles.com/ugd/409ca8_5cd1625949c54ae4bc7ca3c647bf08ae.pdf
    • https://static.usrfiles.com/ugd/8b49c6_dee2b808fb1b4697a99616deb6f56433.pdf
    • https://static.usrfiles.com/ugd/856cea_43de77be1ae74d8aa7924525ef105b80.pdf
    • https://cdn.shopify.com/s/files/1/0431/3504/1693/files/pevezipuxebojo.pdf
    • https://cdn.shopify.com/s/files/1/0438/9063/9000/files/xapes.pdf
    • https://cdn.shopify.com/s/files/1/0438/8497/0152/files/87559156859.pdf
    • https://cdn.shopify.com/s/files/1/0461/7099/6889/files/8813409027.pdf
    • https://cdn.shopify.com/s/files/1/0437/5045/7505/files/black_and_white_photography_books.pdf
    • https://cdn.shopify.com/s/files/1/0430/4535/5674/files/mosagemajumebizuki.pdf
    • https://cdn.shopify.com/s/files/1/0432/3685/1874/files/adobe_pack_features.pdf
    • https://cdn.shopify.com/s/files/1/0433/3427/1126/files/88036888844.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000078fe.bin
e5a30760e8749f97f812cb8f6a0587c12fd013aba7c8fa9628bab75305d39475		 pdf-font-stream PDF embedded font (sfnt) at offset 0x78FE 4944 bytes
font_01_sfnt_off0000899d.bin
1d78cb1b3ef11670fd0936331cc926fa12fce89ac877920f026298ecc4917429		 pdf-font-stream PDF embedded font (sfnt) at offset 0x899D 10060 bytes
font_02_sfnt_off0000ac0c.bin
ce7e2e230a41ba6fc2d7d2240890c8289d67876d84a3d076d67c0b48111c8230		 pdf-font-stream PDF embedded font (sfnt) at offset 0xAC0C 4324 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.