Malicious PDF — malware analysis report

Static analysis result for SHA-256 5288d7135596b533…

MALICIOUS

PDF

42.4 KB Created: 2020-08-29 21:48:43 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 53ca914d74d8b3b5ecc06e94269de1de SHA-1: 9f72270e3b89e3f2ebbe8ec276fae6f94c1fff2d SHA-256: 5288d7135596b533728c3475c930053eb00101679c0cae1c47d0d01f26eaf587
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF file contains a large number of embedded links, many of which point to a domain known for malicious redirectors. The document body, though heavily obfuscated, contains a URL that appears to be a lure for game ISOs, directing users to a malicious domain. This suggests a social engineering attack aimed at redirecting users to potentially harmful content.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.com/wix?keyword=xenoblade+chronicles+wii+iso+espa%25C3%25B1ol
    • https://static.usrfiles.com/ugd/b8c837_eede3ab716d54fe9b473468c1b025f2a.pdf
    • https://static.usrfiles.com/ugd/accd1f_c14d34d96ef94e649bf6f99414f6f955.pdf
    • https://static.usrfiles.com/ugd/b8c837_c08fcbbed20741a2b12fb4785c554676.pdf
    • https://cdn.shopify.com/s/files/1/0433/0687/7080/files/65817182127.pdf
    • https://cdn.shopify.com/s/files/1/0430/9201/7305/files/74780022301.pdf
    • https://static.usrfiles.com/ugd/b8c837_0b7ebcd445e74058885c7f8dd977fa4d.pdf
    • https://static.usrfiles.com/ugd/09273f_e76002013fdb4d40876445d38c0cb684.pdf
    • https://static.usrfiles.com/ugd/02beb7_7168f11f019e493594587ded0d737e7b.pdf
    • https://cdn.shopify.com/s/files/1/0432/8803/5486/files/36514463588.pdf
    • https://cdn.shopify.com/s/files/1/0428/8105/6935/files/1706686845.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00005719.bin
65ebb525638ac9d5315fc7e7ed6dae6e54c19293b6bb04b08b074acf5859a4db		 pdf-font-stream PDF embedded font (sfnt) at offset 0x5719 5292 bytes
font_01_sfnt_off000068b7.bin
cafbbb0ec217387fd0872cb31929d0278356acc6546b9bcbd5eafc63f22a71cb		 pdf-font-stream PDF embedded font (sfnt) at offset 0x68B7 10736 bytes
font_02_sfnt_off00008cf4.bin
a542ec26cea93e049a2e27cd59b1347dd9bbdea13775fd7b822b3c2b3136116f		 pdf-font-stream PDF embedded font (sfnt) at offset 0x8CF4 4324 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.