Malicious PDF — malware analysis report

Static analysis result for SHA-256 5106514d6f0db039…

MALICIOUS

PDF

40.8 KB Created: 2020-08-19 01:05:05 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 84625548811a7b5a2778f652ca3ced82 SHA-1: fc21ea52120baf4bb0862c13f67d84a02db711b1 SHA-256: 5106514d6f0db039bf559f0cb8c200f0e3b8ce877ece6fb5c2654358f6d00552
128 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF contains a significant number of embedded external links, identified as a PDF link farm. One of these links, 'https://ttraff.cc/pify?keyword=jar+jad+action+games', points to known malicious redirector infrastructure. The presence of a visual download button lure further suggests an attempt to trick the user into clicking malicious links. The document body is heavily obfuscated and contains embedded URLs, reinforcing the malicious intent.

Heuristics 4

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTON
    Document contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.cc/pify?keyword=jar+jad+action+games
    • http://jafozesot.louiseashcroft.org/uploads/1/3/1/1/131164100/4199d9832644e.pdf
    • http://files.kyler-leroux-coaching-portfolio.com/uploads/1/3/0/9/130969220/53448.pdf
    • http://jedif.paramountlimousines.com.au/uploads/1/3/0/8/130814328/0a58860b8753.pdf
    • https://cdn.shopify.com/s/files/1/0439/5932/0734/files/lexical_and_grammatical_categories.pdf
    • https://cdn.shopify.com/s/files/1/0431/5581/6599/files/selekagowepotegibusa.pdf
    • https://cdn.shopify.com/s/files/1/0434/1560/1304/files/demopijezaguvifur.pdf
    • https://cdn.shopify.com/s/files/1/0431/5820/8672/files/15318384651.pdf
    • https://cdn.shopify.com/s/files/1/0429/8512/8090/files/nemilamekipegamafobiwonav.pdf
    • https://cdn.shopify.com/s/files/1/0429/5108/2143/files/1999_royal_rumble.pdf
    • https://cdn.shopify.com/s/files/1/0438/4446/8898/files/watch_faces_for_apple_watch.pdf
    • https://cdn.shopify.com/s/files/1/0437/4872/0789/files/zedinubamajewipib.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00005dde.bin
73fcdbc89fe6d1673724c5e5d1b000d2a16940998f3deaa2b1d458b4414c10c6		 pdf-font-stream PDF embedded font (sfnt) at offset 0x5DDE 5292 bytes
font_01_sfnt_off00006fc4.bin
e961e3326daf496c837d1d3e69d4cdb25bfd5adbf3cc4a4927608fe07572f42f		 pdf-font-stream PDF embedded font (sfnt) at offset 0x6FC4 10848 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.