Malicious PDF — malware analysis report

Static analysis result for SHA-256 28ebd52029ef8afe…

MALICIOUS

PDF

45.1 KB Created: 2020-09-17 08:45:34 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 64681e70db2ff861e356d8a4610c9620 SHA-1: 3ba6e7de13acebc2ebda2a4d201264900ca8d5dc SHA-256: 28ebd52029ef8afe628bf3f7a9e7b959fc5f1c13950caff6538c3f6c81c53a20
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF contains a mass of external links, with one prominent link leading to a known malicious redirector. The document body, though partially corrupted, contains text that appears to be a lure for a game, 'Tangerine Tycoon unblocked', and includes the malicious URL. This suggests the PDF is designed to trick users into visiting the malicious redirector.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.me/wix?keyword=tangerine+tycoon+unblocked
    • https://cdn.shopify.com/s/files/1/0438/2808/4896/files/45753163052.pdf
    • https://cdn.shopify.com/s/files/1/0431/8419/3697/files/lizadivanovaxateki.pdf
    • https://cdn.shopify.com/s/files/1/0435/1718/2104/files/fovipabelunitekabesam.pdf
    • https://cdn.shopify.com/s/files/1/0430/3755/6889/files/overstreet_price_guide_2015.pdf
    • https://2c0fc7c0-1b02-4b48-87ce-07861aef2910.filesusr.com/ugd/b09e1d_4585258a67e64a5e878ff5b0f18cf961.pdf?index=true
    • https://882934b5-0e33-45db-9829-7bf7bda0b4c2.filesusr.com/ugd/5c8b2f_2b182ff029ee4351ace2e838beb2013e.pdf?index=true
    • https://52077c9c-8027-4fb8-b126-df1b2f1f9a64.filesusr.com/ugd/90d19e_1b23473a7a504bdaa30319836bb73276.pdf?index=true
    • https://48b32ebd-8c75-4395-b1e5-d20f25433ece.filesusr.com/ugd/4c1554_bfbe65fe47db49469521ba6e2ea5f5d2.pdf?index=true
    • https://886e455f-6976-4f77-9f45-67343196d306.filesusr.com/ugd/92ee2b_009c36f6534848f8aa4c15062328536b.pdf?index=true
    • https://0b3b5d00-11c9-42aa-9f87-e92013ca756e.filesusr.com/ugd/113e89_ae6ff127426e48e5ab7c337ca6a20875.pdf?index=true
    • https://be10fef0-8626-484c-a5aa-ddd52c729ebe.filesusr.com/ugd/9d66c7_6afd8539fb884e629ef1ed1a2b73154d.pdf?index=true
    • https://faed033d-5f03-4ace-9da9-d022a33a3531.filesusr.com/ugd/61567a_ff9eaa2499db4f36971b5995745f723d.pdf?index=true
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00005dcc.bin
315246e120b63a50c082e44bb137146c2df13de1c097fd4d8d317fbdd4eb2bbb		 pdf-font-stream PDF embedded font (sfnt) at offset 0x5DCC 5184 bytes
font_01_sfnt_off00006f89.bin
f408c7239f639481c67a39aa0d287e4915bb5b9c348ca12e0e77f31aa85654d7		 pdf-font-stream PDF embedded font (sfnt) at offset 0x6F89 10372 bytes
font_02_sfnt_off0000933b.bin
52db30b66cfb76898988bc7c6ed152514c301740808ab95bec9c68e49df23550		 pdf-font-stream PDF embedded font (sfnt) at offset 0x933B 16036 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.