Malicious PDF — malware analysis report

Static analysis result for SHA-256 df84d3a9bb43ff8d…

MALICIOUS

PDF

57.4 KB Created: 2020-09-05 04:54:16 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 30a2631bd98fa1bc1ef9044816400364 SHA-1: a36d752e458cbdef5bb40fbe4b9357023ba3a2d3 SHA-256: df84d3a9bb43ff8db51cc38e587b4a987e85afcc96e91d87de55ba814480e8b0
162 Risk Score

Malware Insights

MITRE ATT&CK
T1204.001 Malicious Link T1059.003 Windows Command Shell

The PDF contains a mass of external links, with one critical heuristic identifying a malicious redirector. The document body, though heavily obfuscated, contains text related to resume formats and includes the malicious URL. Another heuristic indicates a lure to execute commands via the clipboard, suggesting a multi-stage attack. The primary malicious IOC is the redirector URL, which likely leads to further malicious content.

Heuristics 4

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Clipboard command execution lure high SE_CLIPBOARD_COMMAND_LURE
    Document tells the user to copy or paste clipboard content into Run, PowerShell, cmd, or another shell-like execution context
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.link/wix?keyword=chronological+resume+sample+format
    • https://cdn.shopify.com/s/files/1/0465/1479/8750/files/76723735572.pdf
    • https://cdn.shopify.com/s/files/1/0432/2807/0052/files/square_root_of_46_in_radical_form.pdf
    • https://cdn.shopify.com/s/files/1/0437/9911/7986/files/83418972434.pdf
    • https://cdn.shopify.com/s/files/1/0431/2937/2832/files/kijudazejipa.pdf
    • https://cdn.shopify.com/s/files/1/0437/1503/5291/files/39889875327.pdf
    • https://static.usrfiles.com/ugd/b8c837_7a632ee9836d48e6bec1a7a2dcf40888.pdf
    • https://static.usrfiles.com/ugd/cc15ef_1adb82db7afa434b852113fe44602ac5.pdf
    • https://static.usrfiles.com/ugd/822ecd_ffb4bc6a205a4af394715ab84b37180c.pdf
    • https://static.usrfiles.com/ugd/e5a943_c055e0b53e4e4bc7a9e1f885bab140bd.pdf
    • https://static.usrfiles.com/ugd/daca0d_0c2cfce097344b4b938412a9f035c2e9.pdf
    • https://static.usrfiles.com/ugd/15ebe2_a1c0ba497c7144aca3ed7100d492ad1e.pdf
    • https://cdn.shopify.com/s/files/1/0431/7816/4384/files/54097120348.pdf
    • https://cdn.shopify.com/s/files/1/0437/3273/0017/files/remington_870_manual.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000a177.bin
af88b20e2f0db06594e8e8ce12fb7937b764ac4a7c7a0e0ed041fde2b60d226d		 pdf-font-stream PDF embedded font (sfnt) at offset 0xA177 5332 bytes
font_01_sfnt_off0000b36d.bin
1ce59650d06c8ba8c1fc41c94e11b37501bd2e0f6714430672ec3a39b1a4a849		 pdf-font-stream PDF embedded font (sfnt) at offset 0xB36D 11064 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.