Malicious PDF — malware analysis report

Static analysis result for SHA-256 e778c9890e66e8b1…

MALICIOUS

PDF

47.7 KB Created: 2020-08-31 03:25:15 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 79d532b0f94a88b035fc08ccfa46410d SHA-1: 3657e0447935d42a2e669eefbed6aea4b343baf8 SHA-256: e778c9890e66e8b1a058838a62970d2a0ae9964e754083aca4220907bb00bca6
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF file contains a heuristic firing for PDF_MALICIOUS_REDIRECTOR_LINK, indicating it points to malicious infrastructure. The document body, though partially corrupted, contains text related to 'New york art expo 2016' and the malicious URL. The PDF_SEO_LINK_FARM heuristic also indicates the presence of numerous external links, with the primary one being a redirector.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.link/wix?keyword=new+york+art+expo+2016
    • https://cdn.shopify.com/s/files/1/0438/7930/1275/files/nibasebesikotewudov.pdf
    • https://cdn.shopify.com/s/files/1/0434/3637/6214/files/roniteretewe.pdf
    • https://cdn.shopify.com/s/files/1/0433/6497/4742/files/bopuwexuxoboxixevewezawog.pdf
    • https://cdn.shopify.com/s/files/1/0432/1456/9640/files/11364938158.pdf
    • https://static.usrfiles.com/ugd/b8c837_53b723ca448249d7b193bc810be51e90.pdf
    • https://static.usrfiles.com/ugd/d54300_a533ef01863f424daed963d507884409.pdf
    • https://static.usrfiles.com/ugd/b8c837_c25260b9f02742dab984909aaf39f187.pdf
    • https://cdn.shopify.com/s/files/1/0431/7901/6360/files/82945839528.pdf
    • https://cdn.shopify.com/s/files/1/0435/2226/1143/files/60445209308.pdf
    • https://cdn.shopify.com/s/files/1/0430/6475/4325/files/appium_driver_jar.pdf
    • https://cdn.shopify.com/s/files/1/0432/7273/2836/files/45236599805.pdf
    • https://static.usrfiles.com/ugd/f14cf6_77d431e61be240359ce0762a9ce770c5.pdf
    • https://static.usrfiles.com/ugd/ac51ce_e5fddd0675b2454695c2d3bad7f69eb2.pdf
    • https://static.usrfiles.com/ugd/b8c837_c91f7b46b6004e72a4e186cd9e11a7bd.pdf
    • https://static.usrfiles.com/ugd/9734e7_44369ca78c6b48e4800e4938df6c9d13.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000611f.bin
e63882331f4f9035abba9d9c46fdf857fb465de6bd0e0c5564de969b1b9e1b20		 pdf-font-stream PDF embedded font (sfnt) at offset 0x611F 5376 bytes
font_01_sfnt_off000073a8.bin
1f7440bc85c8fe80f057d992bdeb76706e4d15980a3e0de7cde176abe986c039		 pdf-font-stream PDF embedded font (sfnt) at offset 0x73A8 10640 bytes
font_02_sfnt_off000097f4.bin
74b40b646b8de1fe0cf333caae111113009aee107325971746a0765930eb9b6c		 pdf-font-stream PDF embedded font (sfnt) at offset 0x97F4 17020 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.