Malicious PDF — malware analysis report

Static analysis result for SHA-256 356fde0f53a24efb…

MALICIOUS

PDF

47.1 KB Created: 2020-08-31 00:25:40 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 3d6e40299af02622f54495f2febdf615 SHA-1: bbfcba5326b7f19a5f6af705e4e11ada3eb5d3a7 SHA-256: 356fde0f53a24efb24618fbdef0da53555b92e755c0416b193d7c298a54fd1ee
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF file contains a large number of embedded links, many of which point to a redirector service. The primary malicious URL, https://ttraff.com/wix?keyword=iravukku+aayiram+kangal+full+movie+d, is identified as a malicious redirector. The document body text, though heavily obfuscated, appears to be a lure related to a movie title, likely intended to trick users into clicking the malicious link.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.com/wix?keyword=iravukku+aayiram+kangal+full+movie+d
    • https://cdn.shopify.com/s/files/1/0429/7129/9999/files/24952786288.pdf
    • https://cdn.shopify.com/s/files/1/0433/8135/8759/files/xonogenupudaliberivisujij.pdf
    • https://cdn.shopify.com/s/files/1/0432/8685/5840/files/ssat_analogies_worksheet.pdf
    • https://cdn.shopify.com/s/files/1/0428/2118/9788/files/32802388484.pdf
    • https://static.usrfiles.com/ugd/a2ebd8_98595ae0553b4f1aa68a42b532c83150.pdf
    • https://static.usrfiles.com/ugd/b9801a_a3231f6353064d1bbd3443db26c911e8.pdf
    • https://static.usrfiles.com/ugd/b910ae_c021736d33964a5c9ec96b6ada40e37c.pdf
    • https://static.usrfiles.com/ugd/10b11f_f9c13a97a82145968e88f822bbff1894.pdf
    • https://static.usrfiles.com/ugd/60933b_650f5bb91e82409c8db4c3463469d8ab.pdf
    • https://static.usrfiles.com/ugd/b8c837_0f6efb5891d44ca0b4e97c0a94d21fcd.pdf
    • https://static.usrfiles.com/ugd/7d21c0_bdc41afdd39d45ccbf98ffe0562e9b52.pdf
    • https://cdn.shopify.com/s/files/1/0431/4529/8077/files/35753405251.pdf
    • https://cdn.shopify.com/s/files/1/0429/2611/2927/files/samuel_barber_agnus_dei.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000655b.bin
1bc84b4c8de4ab99d20e26eeeb52aa0cf05590a2c1bcf5e01402822466c88f77		 pdf-font-stream PDF embedded font (sfnt) at offset 0x655B 5212 bytes
font_01_sfnt_off00007712.bin
8194dea9b6911920e19f774fc2f30e2970c2f183d281472c176571f1704f3309		 pdf-font-stream PDF embedded font (sfnt) at offset 0x7712 10180 bytes
font_02_sfnt_off000099ee.bin
ead7fd593d7f5feef6f283420e9b55f8fa4552f107c64b0063d474dd3355abd8		 pdf-font-stream PDF embedded font (sfnt) at offset 0x99EE 16164 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.