Malicious PDF — malware analysis report

Static analysis result for SHA-256 1eabdf9ff62bbbf7…

MALICIOUS

PDF

39.5 KB Created: 2020-08-17 14:45:57 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 81cef661e430c1ee8c753d155cfcc99c SHA-1: 249b35b986e995c0d5277102326d4784c93b0126 SHA-256: 1eabdf9ff62bbbf7e384268dde07fcba4a3b58f69c3e975a034897e225b081ab
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF file contains a large number of embedded links, many of which point to a redirector service known to host malicious content. The document body, though partially corrupted, contains a URL related to a 'cricket mobile game' which likely serves as a lure. The primary heuristic indicates the PDF is a malicious redirector, attempting to lead the user to harmful sites.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.ru/pify?keyword=cricket+mobile+game
    • http://files.dieseledge.com/uploads/1/3/0/8/130813489/80f1d0603ef.pdf
    • http://files.smrhoa.net/uploads/1/3/0/7/130776682/ximosopuvames.pdf
    • https://cdn.shopify.com/s/files/1/0432/8813/3787/files/contemplate_life_gif.pdf
    • https://cdn.shopify.com/s/files/1/0430/7084/9177/files/magisterium_livro_1.pdf
    • https://cdn.shopify.com/s/files/1/0427/8845/4559/files/pananibufujetoxot.pdf
    • https://cdn.shopify.com/s/files/1/0437/1978/6645/files/60811195108.pdf
    • https://cdn.shopify.com/s/files/1/0428/0506/7943/files/81276249649.pdf
    • https://cdn.shopify.com/s/files/1/0431/2724/2903/files/aditya_birla_health_insurance_proposal_form.pdf
    • https://cdn.shopify.com/s/files/1/0440/2121/9493/files/93080566401.pdf
    • https://cdn.shopify.com/s/files/1/0430/7684/5728/files/fasb_asc_842.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00005ca4.bin
922fc14a0c88cb59a541c64974cafc20d4ddc1b47449aea83a77ce55e8dcfb75		 pdf-font-stream PDF embedded font (sfnt) at offset 0x5CA4 5048 bytes
font_01_sfnt_off00006db9.bin
35e9389cb01b8924a2f34bd23ef05c4d06e29306236d25a939ab00e2825594d7		 pdf-font-stream PDF embedded font (sfnt) at offset 0x6DB9 10644 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.