Malicious PDF — malware analysis report

Static analysis result for SHA-256 fecfebdc451b2544…

MALICIOUS

PDF

51.4 KB Created: 2020-08-29 22:13:31 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 33b6937d15aaf3f0f56d107535aeadfc SHA-1: d9135309e103ce558cc11f3fb1689dc6d68634cb SHA-256: fecfebdc451b25445e4bcce19f74527fcd42e7aaa7e81df186dbcec2a806b5bc
128 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF file contains a large number of embedded links, many of which point to benign Shopify URLs, but one critical link directs to a known malicious redirector. This suggests a link farm or SEO poisoning tactic designed to lure users to malicious infrastructure. The presence of urgency language further supports a phishing or social engineering attempt. No scripts were extracted, but the primary attack vector appears to be the redirection to the malicious URL.

Heuristics 4

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Urgency / deadline lure low SE_URGENCY_LURE
    Document contains urgency or deadline language ('account will be terminated', 'action required within 24 hours', etc.) — useful context, but low-signal without other findings
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.me/wix?keyword=path+of+the+zealot+barbarian
    • https://cdn.shopify.com/s/files/1/0428/9904/6553/files/cambridge_primary_english_learner_s_book_stage_4.pdf
    • https://cdn.shopify.com/s/files/1/0437/9020/5090/files/platform_number_2_video_bhojpuri_film.pdf
    • https://cdn.shopify.com/s/files/1/0432/6644/1376/files/73744066648.pdf
    • https://cdn.shopify.com/s/files/1/0431/0600/9255/files/mobifejugagefelof.pdf
    • https://cdn.shopify.com/s/files/1/0434/3670/3900/files/32705908808.pdf
    • https://cdn.shopify.com/s/files/1/0432/1925/5454/files/ar_desai_rural_sociology.pdf
    • https://cdn.shopify.com/s/files/1/0434/8788/7526/files/14595243968.pdf
    • https://cdn.shopify.com/s/files/1/0432/7063/5676/files/dawusiniburefu.pdf
    • https://cdn.shopify.com/s/files/1/0437/0916/9815/files/gateways_to_art_1st_edition.pdf
    • https://static.usrfiles.com/ugd/b8c837_bb9c164d9f764af6adca72799d9bd272.pdf
    • https://static.usrfiles.com/ugd/b8c837_a35a52cb868b4ccfbcf705065ad8575a.pdf
    • https://static.usrfiles.com/ugd/b3bc21_e3749aa6eb6f446fadbf5252c3e6b573.pdf
    • https://static.usrfiles.com/ugd/b8c837_132628c7ef364e36a9117a681bf6acdf.pdf
    • https://static.usrfiles.com/ugd/b8c837_11d99a272e5f477d89cff1e1d3fb424c.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00008d59.bin
344e839f7f814dd8032376173449361a8820391667fb9d403d376ff1a9c3301b		 pdf-font-stream PDF embedded font (sfnt) at offset 0x8D59 4868 bytes
font_01_sfnt_off00009dec.bin
4f2736bfd61056d3ca0e8491f1666511a523557ade84772b0bfedf89836f776a		 pdf-font-stream PDF embedded font (sfnt) at offset 0x9DEC 10156 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.