Malicious PDF — malware analysis report

Static analysis result for SHA-256 ef83732e2749d670…

MALICIOUS

PDF

40.0 KB Created: 2020-09-04 17:21:05 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 902277c195b23493fecfee3a772e3f19 SHA-1: 4a11c8cfee832cf449ba2390a76133be33ba35ec SHA-256: ef83732e2749d670157dfe38eef0acc0c4cf489312c884d28cce4578ed4202cf
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF file contains a heuristic match for PDF_MALICIOUS_REDIRECTOR_LINK, indicating it directs users to malicious infrastructure. The document body, though partially corrupted, contains text suggesting a lure related to 'bag tag template word' and includes the malicious URL. The PDF also exhibits characteristics of a link farm, with numerous embedded URLs pointing to external resources, likely for SEO manipulation or to host further malicious content.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.club/wix?keyword=bag+tag+template+word
    • https://cdn.shopify.com/s/files/1/0431/5381/7762/files/xifukefepalelova.pdf
    • https://cdn.shopify.com/s/files/1/0436/2256/4000/files/43075406538.pdf
    • https://cdn.shopify.com/s/files/1/0436/5660/9957/files/eia_oil_inventory_weekly_report.pdf
    • https://cdn.shopify.com/s/files/1/0435/2675/0357/files/baxotuvifasikiras.pdf
    • https://cdn.shopify.com/s/files/1/0434/4971/2806/files/nafedobalagozesenavesu.pdf
    • https://static.usrfiles.com/ugd/eb4c03_1a2b0b71a5fd4b5fa1a6172230fe2f46.pdf
    • https://static.usrfiles.com/ugd/516574_243e13ec0bf0471c94f84b392f896c07.pdf
    • https://static.usrfiles.com/ugd/b8c837_43528278c59f498e8f6ef7ec3e2895a6.pdf
    • https://static.usrfiles.com/ugd/9c58c5_ab11d29d68f747209c38ed533878ab53.pdf
    • https://static.usrfiles.com/ugd/d5d855_0641e1bac3db424c849d8ed654a41af2.pdf
    • https://static.usrfiles.com/ugd/b8c837_f634a547c06b4242b47af299b17345c7.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00005ff4.bin
146b53ab085ae0c049bf15123996fff9f6b5ff3162f8903fb0c080cbaf7c976f		 pdf-font-stream PDF embedded font (sfnt) at offset 0x5FF4 5244 bytes
font_01_sfnt_off000071c2.bin
198a2488f9afd0080c76342c6b798745ede9e00facd7e54ed396c66f72ecc5f5		 pdf-font-stream PDF embedded font (sfnt) at offset 0x71C2 9876 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.