Malicious PDF — malware analysis report

Static analysis result for SHA-256 e4b34783b4a81b00…

MALICIOUS

PDF

39.6 KB Created: 2020-08-31 00:39:00 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 4da80b84fd5eb31e4b410d81a7a3e325 SHA-1: 0c90441707294c62badbcf5f9be0432269427175 SHA-256: e4b34783b4a81b00dd8b2917002f1368974870c06211f2ffcb3f8a4b86ae29e9
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF file contains multiple embedded links, with one heuristic specifically identifying a link to a known malicious redirector. The document body, though partially corrupted, contains the same malicious URL. This suggests the primary goal is to lure the user to a malicious site, likely for further exploitation or credential harvesting. No scripts were extracted, limiting the analysis of direct execution capabilities.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.cc/wix?keyword=um+bal%25C3%25A3o+de+borracha+continha+3+litr
    • https://cdn.shopify.com/s/files/1/0432/4855/0050/files/40843306838.pdf
    • https://cdn.shopify.com/s/files/1/0454/1834/8712/files/96520845451.pdf
    • https://cdn.shopify.com/s/files/1/0430/7232/3737/files/dijubaw.pdf
    • https://cdn.shopify.com/s/files/1/0437/0232/1307/files/41986684923.pdf
    • https://cdn.shopify.com/s/files/1/0430/2841/4618/files/fofevapurojux.pdf
    • https://static.usrfiles.com/ugd/b8c837_3707ae89943b45d6bbcfc073fe60ea8e.pdf
    • https://static.usrfiles.com/ugd/b972d5_a2b91a5371de4fd59d7a35a40fca9b2f.pdf
    • https://static.usrfiles.com/ugd/b8c837_85d4b6f958204b24b3f2a9278f2e0a7a.pdf
    • https://static.usrfiles.com/ugd/0c4177_364c890a023a440094fc7d0e0f8919f8.pdf
    • https://static.usrfiles.com/ugd/3fc21f_8cc88989f0a749c5b8883ba7b1f18f88.pdf
    • https://static.usrfiles.com/ugd/eb4c03_df71fd7b9f1d4786ae1528c6ce780ce4.pdf
    • https://cdn.shopify.com/s/files/1/0440/7797/3654/files/sujezivisod.pdf
    • https://cdn.shopify.com/s/files/1/0431/4444/6118/files/72659877177.pdf
    • https://cdn.shopify.com/s/files/1/0429/8201/5129/files/tepuxilelomizita.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00005663.bin
f1dca357b2e4d8d09829b438f8c32f9daabf0b63acf70aaea2c5f071c747db59		 pdf-font-stream PDF embedded font (sfnt) at offset 0x5663 5616 bytes
font_01_sfnt_off000068b9.bin
5bf1eb8e8a139ad4f427d60f3ba302ed70b632f893b558a1bbde24b7b47f0c70		 pdf-font-stream PDF embedded font (sfnt) at offset 0x68B9 12952 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.