Malicious PDF — malware analysis report

Static analysis result for SHA-256 429bbba03781de97…

MALICIOUS

PDF

36.2 KB Created: 2020-09-04 23:29:54 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 6d77b7e98f4d79efa96e09371e352be7 SHA-1: 871617c5b669cf9ded9269b23556c4eb9cb12a42 SHA-256: 429bbba03781de970bbfe7ec2962a7c50a13cc51d028abc28c25322d20ab50ff
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF contains a mass external link farm, with the primary link directing to a known malicious redirector. The document body, though heavily obfuscated, contains text related to 'Vpn indonesia premium apk' and the malicious URL, suggesting a lure to download or phish for credentials. The presence of numerous links to external PDFs hosted on Shopify and usrfiles.com indicates a coordinated effort to distribute malicious content.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.club/wix?keyword=vpn+indonesia+premium+apk
    • https://static.usrfiles.com/ugd/89064d_272fc7693dca40fd8dada6485f99dc38.pdf
    • https://static.usrfiles.com/ugd/b77b08_c84228c0824242c9ae2ac6d46cfe513a.pdf
    • https://static.usrfiles.com/ugd/296484_185dc10a99664887ab5512dc09f03ee0.pdf
    • https://cdn.shopify.com/s/files/1/0458/0881/2198/files/51648223674.pdf
    • https://cdn.shopify.com/s/files/1/0438/4319/0946/files/podexiloxop.pdf
    • https://cdn.shopify.com/s/files/1/0433/1565/8920/files/93211415425.pdf
    • https://cdn.shopify.com/s/files/1/0436/8737/9094/files/simple_business_plan_sample_for_students.pdf
    • https://cdn.shopify.com/s/files/1/0437/8450/3453/files/nogubixenarugovimeduriwur.pdf
    • https://static.usrfiles.com/ugd/b8c837_fa4e1d730bb54bb183730743fb3ae968.pdf
    • https://static.usrfiles.com/ugd/f65518_4384b27483aa42369615611dd3de1422.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00005015.bin
6ce78132f2fb2a10c2290051b2d7ca68eb41fff063cb6ed5acca8e026dbcfe34		 pdf-font-stream PDF embedded font (sfnt) at offset 0x5015 5100 bytes
font_01_sfnt_off00006161.bin
571e2a93ed0afe94c524dfaef8a0c4f5e6f554b40a3dd67d0f41d424e5701dcd		 pdf-font-stream PDF embedded font (sfnt) at offset 0x6161 10376 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.