Malicious PDF — malware analysis report

Static analysis result for SHA-256 89dd4bb6d7802cfc…

MALICIOUS

PDF

41.4 KB Created: 2020-08-31 10:21:29 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 789f3659403f3c5f62460d23cdf36232 SHA-1: c5266bcdc1120974fb6c8d928db140c60d0d90b9 SHA-256: 89dd4bb6d7802cfc6f18b232c6de160a2e9cc33db2dcb2cd64283ebf50157309
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF file contains a heuristic firing for a malicious redirector link, pointing to a URL that appears to be a lure for game mod downloads. The document body, though partially corrupted, contains text related to 'gangstar new orleans mod apk unlimited money' and the malicious URL itself. The presence of a large number of embedded links, many pointing to Shopify, suggests a link farm designed to obscure the ultimate malicious destination. The primary malicious URL is https://ttraff.ru/wix?keyword=gangstar+new+orleans+mod+apk+unlimited+money.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.ru/wix?keyword=gangstar+new+orleans+mod+apk+unlimited+money
    • https://cdn.shopify.com/s/files/1/0431/1855/9393/files/54412160615.pdf
    • https://cdn.shopify.com/s/files/1/0429/8348/9690/files/4629253254.pdf
    • https://cdn.shopify.com/s/files/1/0429/0894/2499/files/15333723680.pdf
    • https://static.usrfiles.com/ugd/e643da_be08fd307ce048deb29ca08356c1a5ca.pdf
    • https://static.usrfiles.com/ugd/8a419d_8d11a9d2725e440187f227a6bf6dc815.pdf
    • https://static.usrfiles.com/ugd/e2f7e1_1383a77c62664df49e6f182fd19c621f.pdf
    • https://static.usrfiles.com/ugd/b8c837_caba378897434a4e9a4c7be3dabc2fbf.pdf
    • https://static.usrfiles.com/ugd/e8506d_06a9a6f2dcf042309ab52014bc8189d4.pdf
    • https://static.usrfiles.com/ugd/eaf48f_d75f37f9818345d3b54076e3549faac7.pdf
    • https://static.usrfiles.com/ugd/ad2ade_ee176f3bbb7b47569a3e6262c0f6e500.pdf
    • https://static.usrfiles.com/ugd/a2e20a_ddf65e46d00d4fa99cec90b6d5fcdd45.pdf
    • https://static.usrfiles.com/ugd/10e3af_4a68f5bbff124249af38ce9a6f905dad.pdf
    • https://static.usrfiles.com/ugd/b8c837_d23c1eba621f40bb99e90e7af201886d.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000629e.bin
758227548c393cb050a0e4b11233cad19b35bfdfca9e39d238de658df4ab98c3		 pdf-font-stream PDF embedded font (sfnt) at offset 0x629E 5568 bytes
font_01_sfnt_off0000759d.bin
72411e0b9e3aa380dcfe0dbc6f70865e276e8b673f4ceeddb9b25d620931519a		 pdf-font-stream PDF embedded font (sfnt) at offset 0x759D 10164 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.