Malicious PDF — malware analysis report

Static analysis result for SHA-256 4c573381fe1eb5f2…

MALICIOUS

PDF

47.9 KB Created: 2020-08-21 15:06:16 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 3b15dfa8193ced3d4c37d34fe9bb866a SHA-1: 0fc4e6c2dda0a801f9dcf3436b4cd4e03da253cf SHA-256: 4c573381fe1eb5f2b12d7f479341ab38ed9ea23b256d4c32b3f2446d5462ecae
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF file contains a mass external link farm, with a critical heuristic firing for a malicious redirector link. The document body, though heavily obfuscated, contains text referencing a movie title and the malicious URL. This indicates a social engineering lure to trick users into visiting a malicious site, likely for further exploitation or malware delivery.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.cc/pify?keyword=bahadur+2014+full+movie+kannada
    • http://files.carpetcleanersnetwork.com/uploads/1/3/1/8/131856040/rebaxabibas.pdf
    • http://files.hitchhouseusa.com/uploads/1/3/2/7/132710627/4473071.pdf
    • http://xujep.babycarriersmalta.com/uploads/1/3/1/1/131163908/nilow_polibabalusod.pdf
    • https://cdn.shopify.com/s/files/1/0431/0922/0501/files/dekufurelowebokigav.pdf
    • https://cdn.shopify.com/s/files/1/0433/5396/4712/files/berwickshire_high_school_inspection_report.pdf
    • https://cdn.shopify.com/s/files/1/0440/6640/6552/files/gaselalobutipu.pdf
    • https://cdn.shopify.com/s/files/1/0438/2441/4882/files/mulojorezilakufuziluxopi.pdf
    • https://cdn.shopify.com/s/files/1/0446/6769/9353/files/kureze.pdf
    • https://cdn.shopify.com/s/files/1/0429/6101/0842/files/kedimezedizomavufuki.pdf
    • https://cdn.shopify.com/s/files/1/0431/5503/0170/files/jinja2_ansible_tutorial.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 4

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00005be5.bin
ba8e628dab434b1c3674ad09b6eb3d53aaba64fc9b982f863d9ced09b3f911f0		 pdf-font-stream PDF embedded font (sfnt) at offset 0x5BE5 5556 bytes
font_01_sfnt_off00006eb6.bin
0e740c61756979a8dabef67be94caa2cb9cfb2f5bb5e5980f923b019063a4bbe		 pdf-font-stream PDF embedded font (sfnt) at offset 0x6EB6 2736 bytes
font_02_sfnt_off00007a8f.bin
c3906cdc42f4495abd1113b9751566a0a88c1b0a4cf386475604d3d115919f3e		 pdf-font-stream PDF embedded font (sfnt) at offset 0x7A8F 10080 bytes
font_03_sfnt_off00009d60.bin
ead7fd593d7f5feef6f283420e9b55f8fa4552f107c64b0063d474dd3355abd8		 pdf-font-stream PDF embedded font (sfnt) at offset 0x9D60 16164 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.