Malicious PDF — malware analysis report

Static analysis result for SHA-256 e69609a908874fdb…

MALICIOUS

PDF

39.9 KB Created: 2020-08-30 02:43:57 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 934941df86d90d6b211ca114425a53bc SHA-1: 6398b0eed73b18a8b5d91d1dae17de12802515bb SHA-256: e69609a908874fdb2c6432afe03555c616e3051eaa3e4d3d039f13262132857a
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF contains a significant number of embedded links, with one pointing to a known malicious redirector. The document body is heavily obfuscated and contains numerous URLs, many of which point to Shopify-hosted PDFs. This suggests a link farm or SEO manipulation tactic, potentially leading users to malicious content or phishing sites.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.com/wix?keyword=assimil+allemand+pdf
    • https://cdn.shopify.com/s/files/1/0431/9831/6705/files/sokavijadipikebolulofivi.pdf
    • https://cdn.shopify.com/s/files/1/0440/7099/4085/files/bafulunifedamu.pdf
    • https://cdn.shopify.com/s/files/1/0428/9835/8432/files/71062637782.pdf
    • https://cdn.shopify.com/s/files/1/0428/2449/9367/files/44397824684.pdf
    • https://static.usrfiles.com/ugd/7f46b5_0519191e9ea047c7a44e06329a56ad90.pdf
    • https://static.usrfiles.com/ugd/77d535_632958eacd414da4b9f5be8badbc133f.pdf
    • https://static.usrfiles.com/ugd/d5415a_302e24f129704f0e9ed0b3ed4775db85.pdf
    • https://static.usrfiles.com/ugd/b8c837_006d5a0a982742478c06803b5a634c69.pdf
    • https://static.usrfiles.com/ugd/b8c837_69448f931abd48f8b1328e491304ecdb.pdf
    • https://cdn.shopify.com/s/files/1/0434/3706/4354/files/king_james_1611_with_apocrypha.pdf
    • https://cdn.shopify.com/s/files/1/0440/5536/3734/files/print_labels_from_google_sheets.pdf
    • https://cdn.shopify.com/s/files/1/0432/1076/8546/files/42944929433.pdf
    • https://cdn.shopify.com/s/files/1/0430/8513/6021/files/fovitalisurapesadika.pdf
    • https://cdn.shopify.com/s/files/1/0432/2607/1199/files/29523155423.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00005888.bin
b26c7d09c9b290aec3de6137b0d01e58b7a761703d27fceeba314d13f16287ce		 pdf-font-stream PDF embedded font (sfnt) at offset 0x5888 5080 bytes
font_01_sfnt_off000069b5.bin
1fccfb6c7f9b83859ba8ae96d2aca4afbf860a8f101feb2b0eaad707ce90bdaf		 pdf-font-stream PDF embedded font (sfnt) at offset 0x69B5 12808 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.