Malicious PDF — malware analysis report

Static analysis result for SHA-256 97068e83eb78b402…

MALICIOUS

PDF

43.4 KB Created: 2020-08-17 07:13:03 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: b1232a32dc5440d478d35a2a8c83dd94 SHA-1: 2c1974e5cb10d056952f956be60a710363704ab2 SHA-256: 97068e83eb78b402e78935da76f924cb00f8c2a94bb2eb35eb85184135a26911
160 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link T1059.001 PowerShell

The PDF contains a link farm and a specific malicious redirector URL, indicating a phishing or scam attempt. The document body and embedded URLs suggest a lure for 'maps for minecraft free apk'. The presence of a visible LOLBin execution instruction points towards potential further stages of infection, though no specific script was extracted to detail this. The primary IOC is the redirector URL which is designed to lead users to malicious content.

Heuristics 4

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Visible LOLBin command execution instruction high SE_LOLBIN_RUN_COMMAND
    Document contains instructions or visible command text involving Windows script/execution tools such as PowerShell, mshta, cmd, rundll32, or regsvr32
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.cc/pify?keyword=maps+for+minecraft+free++apk
    • http://demono.uglybugaboo.com/uploads/1/3/0/8/130814328/5679211.pdf
    • http://files.gjohnsonoboe.com/uploads/1/3/1/4/131437276/6543097.pdf
    • http://murad.overwearapparel.com/uploads/1/3/1/4/131482952/4509906.pdf
    • http://files.lespriministries.com/uploads/1/3/0/7/130776728/zuzinofibomenefowu.pdf
    • http://files.toolshardwarejamaica.com/uploads/1/3/1/4/131406448/kalotosigatedelaj.pdf
    • https://cdn.shopify.com/s/files/1/0432/1266/9089/files/45365673737.pdf
    • https://cdn.shopify.com/s/files/1/0434/0695/0557/files/fozofupakogovevikutirofaj.pdf
    • https://cdn.shopify.com/s/files/1/0431/8992/8099/files/94596184876.pdf
    • https://cdn.shopify.com/s/files/1/0431/9612/1248/files/all_about_me_worksheet_preschool_printable.pdf
    • https://cdn.shopify.com/s/files/1/0438/5252/9829/files/matching_fruits_and_vegetables_worksheets.pdf
    • https://cdn.shopify.com/s/files/1/0431/7508/4193/files/good_form_for_bicep_curls.pdf
    • https://cdn.shopify.com/s/files/1/0430/9411/4465/files/22654855680.pdf
    • https://cdn.shopify.com/s/files/1/0433/0687/7080/files/93336639176.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00006d04.bin
72ab6c475a459ad920efbeb0121d3bfee56ce78b070f0c4b691de80042ac29cb		 pdf-font-stream PDF embedded font (sfnt) at offset 0x6D04 5200 bytes
font_01_sfnt_off00007ea1.bin
93f49af53e140c0b859a39dfb6053c7009efee0c4016c61b2aa333b54ccf4303		 pdf-font-stream PDF embedded font (sfnt) at offset 0x7EA1 10080 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.