Malicious PDF — malware analysis report

Static analysis result for SHA-256 84a5c249d11cd2e6…

MALICIOUS

PDF

42.1 KB Created: 2020-09-08 14:43:48 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 7f3fbfbecdc6247dc61fe1d686d42c51 SHA-1: 65c50ea97182aba6c5342c4328f51094f179edbc SHA-256: 84a5c249d11cd2e6b47506631cb4cddb6bcd8d3c9d066c8a69598a98b48c8eb3
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF contains a heuristic firing for a malicious redirector link, pointing to a URL that promises a game cheat. This URL is embedded within the document body, suggesting a social engineering lure. The PDF also contains a large number of external links, many of which point to benign-looking documents, but the primary malicious link is the most critical IOC.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.club/wix?keyword=hungry+dragon+unlimited+money+apk
    • https://static.usrfiles.com/ugd/a8cc01_08a0d9aef2e8495483fa701d8bdedcf8.pdf
    • https://static.usrfiles.com/ugd/e481ce_eab774b9e81f4eb0baf70b6766c76bae.pdf
    • https://static.usrfiles.com/ugd/4fb05f_4bb27e96c84e4dfe87fc50257ebc3609.pdf
    • https://static.usrfiles.com/ugd/e948c1_7e5ed29001c84552a716815bf677325e.pdf
    • https://static.usrfiles.com/ugd/b8c837_9e97ca742095433ca6b4e60f8d16cf3a.pdf
    • https://cdn.shopify.com/s/files/1/0432/3174/0071/files/quicksort_c_code.pdf
    • https://cdn.shopify.com/s/files/1/0440/6430/9413/files/hungary_student_visa_interview_questions_and_answers.pdf
    • https://cdn.shopify.com/s/files/1/0460/9975/9268/files/cutting_tools_geometry.pdf
    • https://cdn.shopify.com/s/files/1/0435/1623/1840/files/temperature_sensor_calibration_procedure.pdf
    • https://cdn.shopify.com/s/files/1/0437/2656/9633/files/92833124412.pdf
    • https://cdn.shopify.com/s/files/1/0432/9200/0406/files/53623679051.pdf
    • https://static.usrfiles.com/ugd/bd1c09_85d5a3aabafa4a2fb05831bc0b749e02.pdf
    • https://static.usrfiles.com/ugd/271e65_c404b04da189453fab05642073dbca1c.pdf
    • https://static.usrfiles.com/ugd/b98abb_0e90e1c00da14a0b83c1182ac015d3a9.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00006456.bin
4ecb7851caba13b5834c918e6c63dc404f651cd5c8a9836b1a874c44a4d9ebda		 pdf-font-stream PDF embedded font (sfnt) at offset 0x6456 5228 bytes
font_01_sfnt_off00007612.bin
c9a74812fc4e7df986e4c5be485632ff5446b1977ac8a80ecdbb6232b9c00e7c		 pdf-font-stream PDF embedded font (sfnt) at offset 0x7612 10648 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.