Malicious PDF — malware analysis report

Static analysis result for SHA-256 27637bd11861d45c…

MALICIOUS

PDF

47.2 KB Created: 2020-08-29 05:58:12 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 442da976a6fb22191f74064a38b4e2dc SHA-1: 99e36f2fb4351879c91482c81cd31cd917bbff34 SHA-256: 27637bd11861d45c49211b1720ae150ada20ebdfee922a1424b41331219ed8c0
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF file contains a large number of embedded links, with one specifically pointing to a known malicious redirector. The document body, though heavily obfuscated, contains text related to 'Gta sa obb android 1' and the malicious URL, suggesting a lure to download potentially harmful content. The heuristic firings confirm the presence of a malicious redirector link and a link farm.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.com/wix?keyword=gta+sa+obb+android+1
    • https://static.usrfiles.com/ugd/b8c837_e59049d69c4b45eb975085bc52814b9f.pdf
    • https://static.usrfiles.com/ugd/b8c837_b1dd12f2921e4ba1bb4d86d1fff3773f.pdf
    • https://static.usrfiles.com/ugd/b8c837_38323d965ee94e49931d47cd2e254611.pdf
    • https://static.usrfiles.com/ugd/b8c837_c274e91da040459b9796b3f7d95bebb5.pdf
    • https://static.usrfiles.com/ugd/b8c837_4a0d3bf25dd049388d06aee2dfef8673.pdf
    • https://static.usrfiles.com/ugd/b8c837_5ecbdfdbc4174a6387c801116fd50566.pdf
    • https://static.usrfiles.com/ugd/b8c837_503a76db5c934cfeb5642907383139bf.pdf
    • https://static.usrfiles.com/ugd/b8c837_8853e814d99146798869e068d739845e.pdf
    • https://static.usrfiles.com/ugd/b8c837_799fc3ec7588419b9818c07b63ee78e6.pdf
    • https://static.usrfiles.com/ugd/b8c837_9b89e0df680240afac0dccc363cee84e.pdf
    • https://static.usrfiles.com/ugd/b8c837_6f958df7d2094f449ef003b46a93c0b4.pdf
    • https://static.usrfiles.com/ugd/b8c837_21a4a7185ed449d0845e68ac0c7f72f3.pdf
    • https://static.usrfiles.com/ugd/b8c837_7f63613532ce4daca4650393533cabad.pdf
    • https://static.usrfiles.com/ugd/b8c837_8fb9c67ba5c34197bdd12f7c1116f610.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00006f49.bin
65c7e6e272fe0e3cc05410ae5c105ee7bbd90ebb2db7374773bf71557591af6e		 pdf-font-stream PDF embedded font (sfnt) at offset 0x6F49 4680 bytes
font_01_sfnt_off00007f30.bin
5f67fc7b14c78220aea9770927f9dce470ce2e9391019bfb50916ef7aa4df1b6		 pdf-font-stream PDF embedded font (sfnt) at offset 0x7F30 10128 bytes
font_02_sfnt_off0000a20b.bin
d1f4a20f0e35a0564be54678b929bb8c711862c507f070c2b9a6abea8daf4378		 pdf-font-stream PDF embedded font (sfnt) at offset 0xA20B 4324 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.