Malicious PDF — malware analysis report

Static analysis result for SHA-256 8f3c295bc5ab8ca0…

MALICIOUS

PDF

29.9 KB Created: 2020-09-16 19:01:37 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 3e808a103e52ae3792e6b72f1d9dd712 SHA-1: 0ed3ec9cae96dd180bcf1fd965c2e01f31d3e606 SHA-256: 8f3c295bc5ab8ca02afbacdc0aa556d94bfa7f0e304e6fd466dc04a58c063c95
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF file contains numerous embedded links, with one specifically pointing to a known malicious redirector. The document body, though heavily obfuscated, contains text related to 'fnaf 4 unblocked scratch' and the malicious URL, suggesting a lure to trick users into clicking the link. The presence of a malicious redirector link indicates an attempt to lead the user to a harmful site, likely for further exploitation or credential harvesting.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.com/wix?keyword=fnaf+4+unblocked+scratch
    • https://cdn.shopify.com/s/files/1/0436/1263/5299/files/35671186637.pdf
    • https://cdn.shopify.com/s/files/1/0427/9618/7815/files/charlotte_princess_and_the_frog_dress.pdf
    • https://cdn.shopify.com/s/files/1/0460/4008/8740/files/85696482731.pdf
    • https://cdn.shopify.com/s/files/1/0434/4630/4933/files/kefaril.pdf
    • https://ae903360-c417-4d0a-878f-171f0352b056.filesusr.com/ugd/7e0eb0_3a77769d2e034e949947b717a0b587ab.pdf?index=true
    • https://676f7d06-2ed8-4ffd-ac2f-cd41d27ee609.filesusr.com/ugd/384ea4_a4801e24ba4842ada097278a33275782.pdf?index=true
    • https://1189e396-f370-43e7-bef6-ec0c3010ba29.filesusr.com/ugd/3bf302_134f8385506b4b46a4a4e8e0ced84501.pdf?index=true
    • https://f4d1e2dd-8bcd-4ffb-be3c-3cd12bf2f646.filesusr.com/ugd/911c12_2f6e6ab507aa47449967b4c4797e4a51.pdf?index=true
    • https://cdn.shopify.com/s/files/1/0430/3755/6899/files/nys_dmv_motor_vehicle_accident_report.pdf
    • https://cdn.shopify.com/s/files/1/0435/9910/2115/files/66992264666.pdf
    • https://cdn.shopify.com/s/files/1/0439/0571/2296/files/rijobajoguv.pdf
    • https://cdn.shopify.com/s/files/1/0431/6823/5675/files/peverosegakitipu.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00003cd7.bin
e6d99b859758c1cc76f4377064ff40e83f0cae92ec248925a3188db3e3dcd6ae		 pdf-font-stream PDF embedded font (sfnt) at offset 0x3CD7 5356 bytes
font_01_sfnt_off00004f0f.bin
d6347c7ae834aa25fb2ac08299b84282dca6a46e0ba06ed2bae37a61cf2c634d		 pdf-font-stream PDF embedded font (sfnt) at offset 0x4F0F 8340 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.