Malicious PDF — malware analysis report

Static analysis result for SHA-256 8c59b5226a547cdb…

MALICIOUS

PDF

46.5 KB Created: 2020-08-31 01:33:08 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 6a96783ab736bb50ad33ad5856e30cc2 SHA-1: c4e8c84d52a773d8be2ce5888d1a10ce9e843333 SHA-256: 8c59b5226a547cdbf142f4e7fbe95dd8f469303345a9eb35db9a760989e178ab
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF file contains multiple embedded links, with one critical heuristic firing indicating a link to known malicious redirector infrastructure. The document body, though heavily obfuscated, contains text related to 'Zuma full game free download for pc' and a URL that aligns with the malicious redirector. This suggests a social engineering lure to trick users into downloading potentially malicious content.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.cc/wix?keyword=zuma+full+game+free+download+for+pc
    • https://cdn.shopify.com/s/files/1/0429/7064/4631/files/91760815659.pdf
    • https://cdn.shopify.com/s/files/1/0430/4253/7629/files/49043674827.pdf
    • https://cdn.shopify.com/s/files/1/0433/6336/9125/files/marigivunamijad.pdf
    • https://cdn.shopify.com/s/files/1/0446/6160/4505/files/facilities_planning_tompkins.pdf
    • https://cdn.shopify.com/s/files/1/0430/9296/7581/files/javascript_interview_questions_and_answers_for_freshers_free_download.pdf
    • https://cdn.shopify.com/s/files/1/0436/7292/8409/files/how_to_create_app_bundle_in_android.pdf
    • https://cdn.shopify.com/s/files/1/0430/9640/8218/files/38107954551.pdf
    • https://static.usrfiles.com/ugd/ca9b0a_b6d6e858f972488191efd251b46e45c1.pdf
    • https://static.usrfiles.com/ugd/a382ee_d3b185a0a990447cbc87ad5268a2c4f9.pdf
    • https://static.usrfiles.com/ugd/a382ee_76424e8032f14ce6a16f80991ceee2ba.pdf
    • https://static.usrfiles.com/ugd/b8c837_7859c7c65faa4e118d26c53da8b0fea7.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00007799.bin
a1bce3bfc662886c77291e5992a1c22f7c7109fb9efae62dceff7d907dab4b61		 pdf-font-stream PDF embedded font (sfnt) at offset 0x7799 5348 bytes
font_01_sfnt_off000089c9.bin
bfd2743ecbba543180c4f92481b595c6a936d38820175f51e00ef31420a16ffb		 pdf-font-stream PDF embedded font (sfnt) at offset 0x89C9 10356 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.