Malicious PDF — malware analysis report

Static analysis result for SHA-256 57dd814113d27324…

MALICIOUS

PDF

37.4 KB Created: 2020-09-08 10:23:25 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 775389ca1d3bc6696e06da8fe59315e7 SHA-1: 457d579c309c9ba2f4cb612aaab5fb01641cef4c SHA-256: 57dd814113d27324fcea5efc3670940d7d727c86cd6458842fd54bb5aef6d556
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF file contains multiple embedded URLs, with one heuristic firing indicating a link to known malicious redirector infrastructure. The document body, though heavily obfuscated, contains text that appears to be a lure for a movie download, and the primary malicious URL is associated with this lure. The presence of numerous links, many pointing to static file hosting, suggests a link farm or SEO poisoning tactic to distribute the malicious content.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.ru/wix?keyword=bhaigiri+2+full+movie++mp4
    • https://static.usrfiles.com/ugd/53cfc7_8753183ec82e485db4279db73a278778.pdf
    • https://static.usrfiles.com/ugd/b8c837_7623674079ae4d38a386c18a331a61c8.pdf
    • https://static.usrfiles.com/ugd/97634b_24535f0bad00452d80e83b348e62effc.pdf
    • https://static.usrfiles.com/ugd/374ce0_15354aef1bb24a2b81e547c480271d3c.pdf
    • https://cdn.shopify.com/s/files/1/0434/1386/4604/files/8120583198.pdf
    • https://static.usrfiles.com/ugd/368de4_478bf6e7725940d5b5b7de7d017d5e66.pdf
    • https://static.usrfiles.com/ugd/16a96a_e7dc65dde05a467abb6fce9872f8f24e.pdf
    • https://static.usrfiles.com/ugd/3f80ec_639f31fcc2ef475fa6579f3d6bd447a1.pdf
    • https://static.usrfiles.com/ugd/a2d007_9b3ee8aab256434fa2420956f87a12b2.pdf
    • https://static.usrfiles.com/ugd/739437_acc2c079105f46258a148c30827bf668.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00005797.bin
febf2254f541114e3bd0ffc677d99bf8a86ff8ad31cab26fffe0ffc03adbe29c		 pdf-font-stream PDF embedded font (sfnt) at offset 0x5797 5464 bytes
font_01_sfnt_off00006a1c.bin
a6472c4e51d4c1b63a2131a69d60af5f78c96e436c0d20ebd79624b46abfa128		 pdf-font-stream PDF embedded font (sfnt) at offset 0x6A1C 9016 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.