Malicious PDF — malware analysis report

Static analysis result for SHA-256 9fd2615b71d00c2b…

MALICIOUS

PDF

34.7 KB Created: 2020-09-19 04:38:26 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 48e9dd6abad4ecd907e90fdd08633378 SHA-1: d8d07ebe2d69a221ac794e0c25a44f9d3df9123f SHA-256: 9fd2615b71d00c2be0eaa9697e363982fc2dda09693b390cec8661848e7a527e
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF file contains a deceptive lure, 'Digimon guide book', and embeds a large number of links to external resources. One of these links, 'https://ttraff.club/wix?keyword=digimon+guide+book', is identified as a malicious redirector. The document also features a link farm heuristic, indicating a mass of external PDF links, with 'http://paxek.ljhfoc.com/uploads/1/3/1/6/131606255/8749449.pdf' being the first identified. This suggests the document's primary purpose is to redirect users to malicious or spam-related content.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.club/wix?keyword=digimon+guide+book
    • http://paxek.ljhfoc.com/uploads/1/3/1/6/131606255/8749449.pdf
    • http://files.infiniteshinecleaning.com/uploads/1/3/1/3/131381607/wolelalidu_sugurizoji_tenuzonira_nipijufupa.pdf
    • http://files.slantsystem.com/uploads/1/3/1/3/131380337/9c47c4e65a81a.pdf
    • https://dd5913e3-6fb3-4b0e-bf6d-e7620ab9bbc3.filesusr.com/ugd/7c3584_8a9008e352ab4661809fe22379d934ed.pdf?index=true
    • https://14b1a1bf-ad2b-453d-b295-60e2af7dfeff.filesusr.com/ugd/ea2c45_4ff7aa156abc4cd0a1eae5145a904171.pdf?index=true
    • https://ed0a8f0e-dee5-4984-a359-a21c5e638d22.filesusr.com/ugd/95b9ea_52caca3a22ab46288b3568298c6dbd2e.pdf?index=true
    • https://e446d8cb-146d-41b3-baee-2a83b566044a.filesusr.com/ugd/733c1f_7fc5819f46bc4e3693f1f9b913b53485.pdf?index=true
    • https://219faef8-9383-4d9c-8e36-e5dce7ddb6d4.filesusr.com/ugd/b444d4_6dd6aaa19f024e7cac6b7b2e893bfeb0.pdf?index=true
    • https://75038f37-ca74-41b8-9444-9e22892a4735.filesusr.com/ugd/b444d4_0c56112ca9004878b3b4bb32b0372398.pdf?index=true
    • https://9bba85b7-6c8e-47df-8d50-e0d67b73fa8a.filesusr.com/ugd/dc8a8e_ce0aeab5aba846659f5105ae4448fc31.pdf?index=true
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00004a64.bin
1e310c992871b277e200e53c764bfee8d7eebb89c7a92715870e4653025eaf7a		 pdf-font-stream PDF embedded font (sfnt) at offset 0x4A64 4832 bytes
font_01_sfnt_off00005acd.bin
38e5029b3299cff10019b5618a522160fdace54bed4d96b1e3c4eb8a1ef0e4c8		 pdf-font-stream PDF embedded font (sfnt) at offset 0x5ACD 10496 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.