Malicious PDF — malware analysis report

Static analysis result for SHA-256 a70a0745072110d5…

MALICIOUS

PDF

54.3 KB Created: 2020-10-19 07:46:08 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 702707b60b56e16109904c96608bcf24 SHA-1: e4a5a2aa6c7ab1cfca6113eb5c1828189628405c SHA-256: a70a0745072110d59f24441d77008a6aa6a9193fa470a249f84fa71f0672ff54
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF contains multiple embedded links, with one critical heuristic firing indicating a link to a known malicious redirector. The document body, though heavily obfuscated, contains text related to 'top shooting games for android free download' and the malicious URL, suggesting a lure to a malicious site. The presence of numerous links to Weebly-hosted PDFs also indicates a link farm, a common tactic for SEO poisoning and traffic redirection.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.club/123?keyword=top+shooting+games+for+android+free+download
    • https://tiwilofudux.weebly.com/uploads/1/3/1/6/131606348/gofefuvagap.pdf
    • https://tenabawik.weebly.com/uploads/1/3/2/7/132710661/5240091.pdf
    • https://rezizeme.weebly.com/uploads/1/3/0/7/130775554/aaa1b366bd7fe.pdf
    • https://mojivimimujovo.weebly.com/uploads/1/3/0/8/130874437/batagebexi.pdf
    • https://dutitujazekap.weebly.com/uploads/1/3/0/8/130814390/0c18874847f.pdf
    • https://cdn-cms.f-static.net/uploads/4366630/normal_5f8a626a4454e.pdf
    • https://cdn-cms.f-static.net/uploads/4366020/normal_5f8c88d893008.pdf
    • https://cdn-cms.f-static.net/uploads/4366337/normal_5f8b24c548b25.pdf
    • https://cdn-cms.f-static.net/uploads/4387224/normal_5f8cf8c46135b.pdf
    • https://cdn-cms.f-static.net/uploads/4369315/normal_5f88828acc20f.pdf
    • https://cdn-cms.f-static.net/uploads/4366630/
    • https://cdn.shopify.com/s/files/1/0502/3943/9032/files/dujikobefeg.pdf
    • https://cdn.shopify.com/s/files/1/0430/5282/6777/files/94101315665.pdf
    • https://cdn.shopify.com/s/files/1/0434/2536/6165/files/36698849646.pdf
    • https://cdn.shopify.com/s/files/1/0492/3057/7817/files/dapujof.pdf
    • https://cdn.shopify.com/s/files/1/0495/6150/1848/files/public_health_personal_statement_epidemiology.pdf
    • https://cdn.shopify.com/s/files/1/0266/9094/5194/files/23031625290.pdf
    • https://cdn.shopify.com/s/files/1/0466/5281/7573/files/8557293224.pdf
    • https://uploads.strikinglycdn.com/files/4710a607-b2e0-4b86-b9d3-68971c03a0b9/dabepuzulu.pdf
    • https://uploads.strikinglycdn.com/files/6e6d1cb0-a3e7-431a-8d86-ef082e7262f9/refigezaxokigako.pdf
    • https://uploads.strikinglycdn.com/files/4bbaa9c0-c331-4e2b-be74-74fdcf1a1ef0/temojofo.pdf
    • https://uploads.strikinglycdn.com/files/c49fe86d-37e7-4cb6-a473-05dec0e612c4/dahua_dvr_bip.pdf
    • https://uploads.strikinglycdn.com/files/11968843-18b0-4c29-a83b-d4b6aad7b859/lasuvivevilor.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000086df.bin
4e05446fed9a92c9344c8372eff430fd12da994b37f953e760a8d2f340a10029		 pdf-font-stream PDF embedded font (sfnt) at offset 0x86DF 5284 bytes
font_01_sfnt_off000098ae.bin
468e0f746042ccb7147cfbd393e5a019e6bd5b0391cee07b2a5579cad46e1787		 pdf-font-stream PDF embedded font (sfnt) at offset 0x98AE 10696 bytes
font_02_sfnt_off0000bd32.bin
cd94ef65598b1866d0653cdd88243d989fd81359c0e770c2d3a4858f1c2f6d34		 pdf-font-stream PDF embedded font (sfnt) at offset 0xBD32 4324 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.