Malicious PDF — malware analysis report

Static analysis result for SHA-256 1d1aef78f3e7b352…

MALICIOUS

PDF

53.4 KB Created: 2020-08-15 14:41:26 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 62e854aae30b877186d56219db9689e4 SHA-1: c4dd04ba57b61d0a7dbbb5e862731d3060a868d7 SHA-256: 1d1aef78f3e7b352ca6b617f606c531731690f20751d29f20b410d317d3fa49a
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.001 Malicious Link T1059.001 PowerShell

The PDF contains a mass of external links, with one specifically identified as a redirector to malicious infrastructure. The document body, though heavily obfuscated, contains text referencing a 'leveling guide' and a URL that matches the malicious redirector. This suggests a social engineering attack aiming to trick users into visiting a malicious site.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.cc/pify?keyword=horde+1-+60+leveling+guide+classic
    • http://vonozot.sinkutradiatorservice.com/uploads/1/3/2/7/132740264/af4fe3dba7b98.pdf
    • http://vufosonib.trudietrewin.com/uploads/1/3/1/4/131407005/fafozepuzufinanaxot.pdf
    • http://files.maranathabiblens.com/uploads/1/3/1/4/131454172/xogunetaxuw.pdf
    • http://wirupubet.levenschoir.net/uploads/1/3/1/4/131437402/vitevolilawifeluxamu.pdf
    • https://cdn.shopify.com/s/files/1/0431/5506/2948/files/65796747786.pdf
    • https://cdn.shopify.com/s/files/1/0432/7515/7670/files/experience_letter_format.pdf
    • https://cdn.shopify.com/s/files/1/0430/8123/6634/files/belajar_gitar_elektrik.pdf
    • https://cdn.shopify.com/s/files/1/0439/1275/7400/files/ritububafaruzibotoxepe.pdf
    • https://cdn.shopify.com/s/files/1/0428/8099/1388/files/poxaziwadujijun.pdf
    • https://cdn.shopify.com/s/files/1/0432/5857/7046/files/49277553747.pdf
    • https://cdn.shopify.com/s/files/1/0427/8448/9631/files/76546361255.pdf
    • https://cdn.shopify.com/s/files/1/0435/8393/0527/files/sbi_atm_card_replacement_application_form.pdf
    • https://cdn.shopify.com/s/files/1/0430/3552/5282/files/96650303026.pdf
    • https://cdn.shopify.com/s/files/1/0433/7745/9363/files/negelubukunem.pdf
    • https://cdn.shopify.com/s/files/1/0428/9835/8432/files/75609531209.pdf
    • https://cdn.shopify.com/s/files/1/0430/2677/6227/files/83138024921.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000927f.bin
2b5cecb585f917ba998662d0a108747d01f26f95a7daab9cb7f598d059c38339		 pdf-font-stream PDF embedded font (sfnt) at offset 0x927F 5508 bytes
font_01_sfnt_off0000a55c.bin
f43060c7e543c8331c279bb18a9f4da25005d85a6fdd9aed2b8758545204826e		 pdf-font-stream PDF embedded font (sfnt) at offset 0xA55C 10284 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.