Malicious PDF — malware analysis report

Static analysis result for SHA-256 3b182211858dc0ea…

MALICIOUS

PDF

37.3 KB Created: 2020-08-28 08:49:44 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 85743e37d1df64e949ff68f58a549c0b SHA-1: e8e3d5a591c4c9d6484733d248a06d5ad2b89fcc SHA-256: 3b182211858dc0eaa6e6598d69db0461b12704fceaee3d08ac4d088e5a7d5baf
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF file contains a heuristic firing indicating it is a malicious redirector link, specifically pointing to a URL related to 'grand theft auto vice city stories full indir'. This suggests a social engineering lure to trick users into downloading unwanted or malicious software. The document body also contains this URL, reinforcing the attack pattern. No scripts were extracted from this sample.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.com/pify?keyword=grand+theft+auto+vice+city+stories+full+indir
    • http://files.carterswhs.com/uploads/1/3/0/8/130814169/c6babfc785ec8.pdf
    • http://files.annalisanicole.com/uploads/1/3/1/8/131857199/ruxug.pdf
    • http://files.pilgrimadventures.com/uploads/1/3/0/7/130775331/6277204.pdf
    • http://files.sunlightsilverjewelry.com/uploads/1/3/1/3/131398236/529983.pdf
    • http://bidugate.kerrywanamaker.com/uploads/1/3/1/0/131069934/ranevifazujow.pdf
    • https://cdn.shopify.com/s/files/1/0435/4827/8935/files/fidurewamikavab.pdf
    • https://cdn.shopify.com/s/files/1/0433/9082/8700/files/73426267991.pdf
    • https://cdn.shopify.com/s/files/1/0434/5679/0678/files/vekogodinirosixulotegob.pdf
    • https://cdn.shopify.com/s/files/1/0439/9936/3222/files/32491935375.pdf
    • https://cdn.shopify.com/s/files/1/0434/3103/5047/files/up_b._ed_entrance_exam_syllabus_2020.pdf
    • https://cdn.shopify.com/s/files/1/0458/1408/7846/files/information_about_6th_generation_of_computer.pdf
    • https://cdn.shopify.com/s/files/1/0432/7643/5621/files/rukefuliwekufetugoravejo.pdf
    • https://cdn.shopify.com/s/files/1/0428/9835/8432/files/79265304831.pdf
    • https://cdn.shopify.com/s/files/1/0428/9835/8432/files/jewaxepolirabosumasedud.pdf
    • https://cdn.shopify.com/s/files/1/0430/6858/8194/files/funenuvowigotipono.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000052c8.bin
af9f3da0c3511eb31b97df5caf1d31b0e17d41693dc76d33502375eaee8ba788		 pdf-font-stream PDF embedded font (sfnt) at offset 0x52C8 5304 bytes
font_01_sfnt_off000064d4.bin
c7c6baaa7580d8ced6b8580e38c4ac4d6d4f3070c5408acd8bba50339a7e11f4		 pdf-font-stream PDF embedded font (sfnt) at offset 0x64D4 10328 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.