Malicious PDF — malware analysis report

Static analysis result for SHA-256 a106e866bde01838…

MALICIOUS

PDF

52.9 KB Created: 2020-09-19 09:21:34 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 5adef69e377944745e397b5506e49fed SHA-1: d8bf0070260ba3ae990093cb3e39bf7d51a787ab SHA-256: a106e866bde01838113096426f2d62226081f208b16ecccb594e0249f89904a6
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF file contains a link that redirects to a known malicious domain, identified by the PDF_MALICIOUS_REDIRECTOR_LINK heuristic. The document body, though heavily obfuscated, contains the string 'Gossip Girl season 5 episode 1' and the malicious URL, suggesting a lure to trick users into clicking the link. The PDF_SEO_LINK_FARM heuristic indicates the presence of numerous external links, further supporting the malicious intent of directing users to potentially harmful sites.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.club/wix?keyword=gossip+girl+season+5+episode+1
    • https://67a039df-e807-4da5-b7eb-b98f6d26338d.filesusr.com/ugd/590778_b444fd95145949aeb13bae7e569e34f0.pdf?index=true
    • https://5fd2f68f-953e-4b49-9f5c-1ba2bf29e37e.filesusr.com/ugd/008e52_b2eefab22803460089be4667f936ffb7.pdf?index=true
    • https://70365e3a-b361-4282-b8d4-7cb35714e875.filesusr.com/ugd/4a2613_2991d9cff4ce414cba2c29e8f00ffca1.pdf?index=true
    • https://cdn.shopify.com/s/files/1/0435/4038/1855/files/blackbird_beatles_guitar.pdf
    • https://cdn.shopify.com/s/files/1/0447/7734/1079/files/alvaro_soler_la_cintura_mp4.pdf
    • https://cdn.shopify.com/s/files/1/0440/4844/9686/files/xmtv_player_apk_2019.pdf
    • https://cdn.shopify.com/s/files/1/0443/1210/1020/files/building_construction_illustrated_4th_edition_download.pdf
    • https://cdn.shopify.com/s/files/1/0457/6886/8006/files/35090976192.pdf
    • https://d5d73e0b-0e1f-49d1-9d8a-2d18a002507f.filesusr.com/ugd/c88839_e7a7849667314241a84e48876073dc2c.pdf?index=true
    • https://d8d97daa-f939-4173-8846-6d1edcea5130.filesusr.com/ugd/bba345_00b321b3a3ce4eaaadf5f09f8c14d1c8.pdf?index=true
    • https://547340ac-5f36-4b7f-b52f-a74e5efab28d.filesusr.com/ugd/69a512_37c7754b661d40e3b9ad54aa3b359fb4.pdf?index=true
    • https://05571a82-46b5-484e-a5bb-7f4006df0e67.filesusr.com/ugd/b1b16e_ffad1a0bf24c4368969e7d7bf3c63dfe.pdf?index=true
    • https://59465b44-af10-4f19-988e-52f62ff9d936.filesusr.com/ugd/7d1dc9_d61894387d614d70b8aab0c0181db5b6.pdf?index=true
    • https://b2b06046-4db9-4ca2-8231-55df95593ea1.filesusr.com/ugd/0ad6c7_ffc7cb35dd024fb4ac0d1a7e557292cd.pdf?index=true
    • https://1e6122f0-6084-4099-be93-bd6e7beb9e28.filesusr.com/ugd/ee4a13_1e4164fadf804d77b9b87740e8839930.pdf?index=true
    • https://8af01568-2261-4622-bea2-c20f5034d48e.filesusr.com/ugd/08338c_35afc8e16c0448bfb7a2a0363a73b547.pdf?index=true
    • https://cc0aae1b-241e-4c14-8c83-caefceaa49aa.filesusr.com/ugd/daca0d_777aedea55e04cb7be9c76bad10b113e.pdf?index=true
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000912d.bin
02fe5075bd2d244088eb2e0b812328ca186d215cf61444aa5f57ed8c2886cd03		 pdf-font-stream PDF embedded font (sfnt) at offset 0x912D 5332 bytes
font_01_sfnt_off0000a363.bin
58a67e205530efeed84b69b89e61ee91cd43d1b8dc7634b933a167e915657bb9		 pdf-font-stream PDF embedded font (sfnt) at offset 0xA363 10168 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.