Malicious PDF — malware analysis report

Static analysis result for SHA-256 88cb199c9b6fd04b…

MALICIOUS

PDF

65.2 KB Created: 2020-09-17 01:26:24 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 91a5c17e530f9458647d56847bf81d95 SHA-1: bd6a700811fa69a430faaa4a2ea082753593a967 SHA-256: 88cb199c9b6fd04babc281db38dd23440dcb358104357374ec9cf89bd3a4d745
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF file contains a large number of embedded links, many of which point to suspicious domains and a known malicious redirector. The document body and embedded links suggest a lure to download potentially malicious content or visit phishing sites, disguised as game-related content. The heuristic PDF_MALICIOUS_REDIRECTOR_LINK and PDF_SEO_LINK_FARM indicate a clear intent to redirect users to malicious infrastructure.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.me/wix?keyword=piano+tiles+unblocked+games
    • http://jizigizej.thesarcasticonions.com/uploads/1/3/1/4/131483068/f17bf.pdf
    • http://fesit.movingtonorthernvirginia.com/uploads/1/3/1/6/131606469/tegifovir_korefetusikip.pdf
    • http://zuxex.agelesswesterncanada.com/uploads/1/3/1/3/131383664/8314804.pdf
    • https://cdn.shopify.com/s/files/1/0432/6031/3768/files/percentage_error_practice_problems_answers.pdf
    • https://cdn.shopify.com/s/files/1/0434/6055/9013/files/2724246849.pdf
    • https://cdn.shopify.com/s/files/1/0437/0127/2729/files/scarface_1080p_sub_espaol.pdf
    • https://cdn.shopify.com/s/files/1/0427/8213/0332/files/dezudodomaperas.pdf
    • https://cdn.shopify.com/s/files/1/0430/5115/5618/files/najiman.pdf
    • https://cdn.shopify.com/s/files/1/0439/9644/6878/files/network_now_a1_starter.pdf
    • https://cdn.shopify.com/s/files/1/0428/1165/4307/files/jenkins_kubernetes_containertemplate.pdf
    • https://cdn.shopify.com/s/files/1/0431/2871/7463/files/34933847264.pdf
    • https://cdn.shopify.com/s/files/1/0434/1966/4541/files/accessory_organs_of_digestive_system.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 7

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00005e11.bin
1e66a4561b3c0189484c5480e0919ab9d25bf77790cc30497824f9b4ff1a02f2		 pdf-font-stream PDF embedded font (sfnt) at offset 0x5E11 6364 bytes
font_01_sfnt_off00007405.bin
a3e82205eecf4f034227c58b507f6358053447212d191c74948e44b5804fec50		 pdf-font-stream PDF embedded font (sfnt) at offset 0x7405 5368 bytes
font_02_sfnt_off000085f5.bin
db586d0873e0e5440fbb87238c76d2c37478c1a027fb37a61e7a9bf4067355c5		 pdf-font-stream PDF embedded font (sfnt) at offset 0x85F5 6192 bytes
font_03_sfnt_off000094f1.bin
59bb01a216f067f93eb13e2ce8a3f2d64d4154cdb7c494682b258208a6da380b		 pdf-font-stream PDF embedded font (sfnt) at offset 0x94F1 6108 bytes
font_04_sfnt_off0000a4b6.bin
33a2102169f8e0d84fa28d6e8cf87ef062e841abb5107630fc30386470f3ecca		 pdf-font-stream PDF embedded font (sfnt) at offset 0xA4B6 12092 bytes
font_05_sfnt_off0000cd31.bin
a13dc2798096bbec41a30534ae56eb1f02bcfb1cf7d07c2c18e3b3194d0ea2d7		 pdf-font-stream PDF embedded font (sfnt) at offset 0xCD31 17568 bytes
font_06_sfnt_off0000e742.bin
944c897477d4eff5c94eb54384ee6f1ca53e1a2bd0650ccb5d188c8d536f2acd		 pdf-font-stream PDF embedded font (sfnt) at offset 0xE742 6088 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.