Malicious PDF — malware analysis report

Static analysis result for SHA-256 c844e9d1a57cdd61…

MALICIOUS

PDF

42.4 KB Created: 2020-08-16 19:08:09 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 894d147179ca934e5007fcf4ea49b8ca SHA-1: 7cece7161546d19a228ebc69caa090f824fc46a1 SHA-256: c844e9d1a57cdd61fdaed75ee25c09e5b058b0e0fb903eac9a56d4de8b9fbe92
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF file contains a significant number of embedded links, with one specifically identified as a malicious redirector. This suggests the primary goal is to direct users to potentially harmful websites. The presence of numerous links, many pointing to Shopify domains, indicates a link farm or SEO poisoning attempt to mask the malicious destination. No scripts were extracted, and the document body was heavily obfuscated, limiting further analysis of the exact lure.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.ru/pify?keyword=diablo+2+rogue+merc+guide
    • http://files.ivoryleaguepublishing.com/uploads/1/3/2/6/132681969/didane-tatizezo.pdf
    • http://selukaz.tsabs.bg/uploads/1/3/0/9/130969690/rujajexubowefa.pdf
    • https://cdn.shopify.com/s/files/1/0431/2930/7293/files/65808479827.pdf
    • https://cdn.shopify.com/s/files/1/0430/1737/1801/files/39862403115.pdf
    • https://cdn.shopify.com/s/files/1/0431/3917/0466/files/voruji.pdf
    • https://cdn.shopify.com/s/files/1/0436/0660/5987/files/boxilifaroxidiri.pdf
    • https://cdn.shopify.com/s/files/1/0436/4170/0505/files/jesewujodagu.pdf
    • https://cdn.shopify.com/s/files/1/0432/8049/8852/files/dejukubi.pdf
    • https://cdn.shopify.com/s/files/1/0431/4939/4080/files/temporary_internet_files_location_has_changed.pdf
    • https://cdn.shopify.com/s/files/1/0430/7140/6237/files/91847014227.pdf
    • https://cdn.shopify.com/s/files/1/0431/7144/6939/files/24981702409.pdf
    • https://cdn.shopify.com/s/files/1/0428/9232/9116/files/boradekix.pdf
    • https://cdn.shopify.com/s/files/1/0431/5276/9192/files/57958174701.pdf
    • https://cdn.shopify.com/s/files/1/0433/3928/4645/files/75148920502.pdf
    • https://cdn.shopify.com/s/files/1/0449/6615/0303/files/zafejuveweripofo.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00006747.bin
ac9ad2d4e121b7470a9932fd952778f2254f0b240d8f4147172cd3a15e88aa17		 pdf-font-stream PDF embedded font (sfnt) at offset 0x6747 5352 bytes
font_01_sfnt_off00007957.bin
08a5210d3e09e91586458d13109d92b1a5c99c822fefee3a87d88f58a30b4a5d		 pdf-font-stream PDF embedded font (sfnt) at offset 0x7957 10412 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.