Malicious PDF — malware analysis report

Static analysis result for SHA-256 a3f2c0fc35be3c3f…

MALICIOUS

PDF

44.9 KB Created: 2020-09-19 07:50:38 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 5ea74f2ebfa1690db5f50a0a7d8d206a SHA-1: 38a2f0e0784ad1d11b6405ab87c46847f870fca1 SHA-256: a3f2c0fc35be3c3fd0544c9657533adf250d176c8bff99f2341e74f6f52c86db
168 Risk Score

Malware Insights

MITRE ATT&CK
T1204.002 Malicious Link T1566.002 Spearphishing Link

The PDF contains a high number of links, many pointing to a redirector, and specifically includes a lure for a browser extension or update. The document body, though heavily obfuscated, contains a URL that appears to be a download link for 'youtube apk for pc download'. This suggests a social engineering attack aiming to trick the user into downloading and installing potentially malicious software.

Heuristics 5

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Browser extension / update installation lure high SE_BROWSER_INSTALL_LURE
    Document tells the user to install a browser extension, plugin, viewer, or browser update to view content — a common social-engineering path for credential theft and malware installation
  • Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTON
    Document contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.club/wix?keyword=youtube+apk+for+pc+download
    • https://d1d5fed8-69b0-4a54-8
    • https://51994552-9068-4348-b2fd-e6dc7092bc03.filesusr.com/ugd/66f3f9_bd4f80b7752941e7acc40aa638c2f458.pdf?index=true
    • https://088f3e18-2205-410a-bf4a-c666937ba9b7.filesusr.com/ugd/fac845_3fb0673fc9c94a80947217b78e1e01df.pdf?index=true
    • https://f078467c-ffd5-42bf-b38f-cab017c746ae.filesusr.com/ugd/28146e_3c75c42e24a4456bb51b3700cfe02b0e.pdf?index=true
    • https://76e27429-085c-41fb-ad57-452c66ccc8ca.filesusr.com/ugd/9b33c5_377161ab81c14a7ab9612e54b8e57935.pdf?index=true
    • https://6a324be0-6f22-4d48-b876-ffb1659ebbad.filesusr.com/ugd/24853a_1ed18bf914ff42f986cd99c834f55dfe.pdf?index=true
    • https://c7c66275-f02e-4c3b-baf1-c206ce6f57fc.filesusr.com/ugd/c4f63d_2d5cda940268401cbbc39ab96f9a1461.pdf?index=true
    • https://17628cbf-12a5-4026-8e13-33950dcef120.filesusr.com/ugd/253000_72af591690ea4104ba4abe2bda7827e2.pdf?index=true
    • https://eb837ecd-391e-4c9a-9f68-f79d58ee4c21.filesusr.com/ugd/cac9e4_89b063389664498caaf205f5c5989036.pdf?index=true
    • https://2f830ad0-80c5-42ca-abcf-2da67c2e4580.filesusr.com/ugd/09c3c7_4a7e07b585f14fd49d84ceb885b484ec.pdf?index=true
    • https://00e1fa4a-3d83-48be-b9ee-bcca8d2a4c77.filesusr.com/ugd/312e0e_40332c3b94f846cb9a43afc4c2c0c2cc.pdf?index=true
    • https://ce5c0e8b-4502-4a67-b6bb-38a81a9697c7.filesusr.com/ugd/5ea691_7fcb667f0c7646b58e3c9d9d893d4b4f.pdf?index=true
    • https://eb7cde2a-2cb0-4918-acfd-cea3a92af6c4.filesusr.com/ugd/a44510_bfbce886cc8944409355c3b290b98522.pdf?index=true
    • https://966b28f2-7f55-496b-8d9c-6c61c5cf7e8c.filesusr.com/ugd/c70c35_c1075e3fb6234483b787fbc50475b2dc.pdf?index=true
    • https://521cc0a7-1b0c-4d28-a2c8-0f1cef5108a2.filesusr.com/ugd/3bf302_bacbdfc7722844adbb07d29e0ab93a20.pdf?index=true
    • https://d1d5fed8-69b0-4a54-83ae-91d6a3a5ca0d.filesusr.com/ugd/df4650_cb4aafe027424661a5fc07d0bab2211e.pdf?index=true
    • https://cdn.shopify.com/s/files/1/0432/7401/0782/files/beps_action_2.pdf
    • https://cdn.shopify.com/s/files/1/0437/7670/4664/files/98480403283.pdf
    • https://cdn.shopify.com/s/files/1/0439/6403/9326/files/bestickset_functional_form_24_delar.pdf
    • https://cdn.shopify.com/s/files/1/0457/7338/9980/files/information_and_broadcasting_ministry_recruitment_2018.pdf
    • https://cdn.shopify.com/s/files/1/0433/9181/1734/files/ir_spectroscopy_applications_pdf.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00007149.bin
7dc873991080435120d837de15a2de110a86e807bfed65a4ad107972ed43f3a1		 pdf-font-stream PDF embedded font (sfnt) at offset 0x7149 5228 bytes
font_01_sfnt_off00008337.bin
ec2147e03c2dc7efe51fd753add84e7551a780aeced86883934e3f28c50a50c3		 pdf-font-stream PDF embedded font (sfnt) at offset 0x8337 10356 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.