Malicious PDF — malware analysis report

Static analysis result for SHA-256 a83af11a5d17d13b…

MALICIOUS

PDF

45.8 KB Created: 2020-08-14 23:22:41 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 3c3060433c28e2676b8d86cd30eff17b SHA-1: 21880703ffa3eede905148704e5bbe6d122445bd SHA-256: a83af11a5d17d13bbdd18b4482abf25ee1e1fe14fe4372bb88c7509f64c76e60
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF file contains numerous embedded links, with one specifically identified as a malicious redirector. The document body, though partially corrupted, contains text suggesting a lure for a song download, which aligns with the malicious redirector's URL. The presence of a link farm heuristic further indicates an attempt to distribute malicious content or engage in SEO abuse. The primary malicious IOC is the redirector URL, which likely serves as the initial stage for a phishing or malware delivery chain.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.cc/pify?keyword=chaliya+chaliya+song++320kbps
    • http://files.carolavedonsavage.com/uploads/1/3/0/7/130740217/dedigurat-kosemaguvijisa-nexomerutugupek.pdf
    • http://files.theaterdanceworkshop.org/uploads/1/3/2/8/132814624/b1f196b90c7f170.pdf
    • http://files.windycreek1910.com/uploads/1/3/1/4/131437689/6098753.pdf
    • https://cdn.shopify.com/s/files/1/0435/5712/6295/files/naratapo.pdf
    • https://cdn.shopify.com/s/files/1/0430/9693/2505/files/pdf_the_new_oxford_annotated_bible_with_apocrypha_new_revised.pdf
    • https://cdn.shopify.com/s/files/1/0431/1747/8044/files/jajed.pdf
    • https://cdn.shopify.com/s/files/1/0431/7511/6964/files/pupusoriponolaziv.pdf
    • https://cdn.shopify.com/s/files/1/0433/0687/7080/files/99640144283.pdf
    • https://cdn.shopify.com/s/files/1/0432/7964/6878/files/moxubajupotuxoselenidimu.pdf
    • https://cdn.shopify.com/s/files/1/0435/1868/9432/files/21751084558.pdf
    • https://cdn.shopify.com/s/files/1/0428/9835/8432/files/98973723668.pdf
    • https://cdn.shopify.com/s/files/1/0435/9703/7730/files/dowukixakuraluxenun.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 4

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00005189.bin
41618163b7ec14c19f72c0f7f28ce173960e37ec7b505da0022151ddaf2518ea		 pdf-font-stream PDF embedded font (sfnt) at offset 0x5189 5456 bytes
font_01_sfnt_off000063f8.bin
09c6a73bc82dfbcdb8d0af0a06544c3cead3912c2b80703dfbbe31990ce9b7ee		 pdf-font-stream PDF embedded font (sfnt) at offset 0x63F8 13824 bytes
font_02_sfnt_off0000902d.bin
b50a2106bf82917db0cd3cf88f63c5e8cc3298b343ace5cffc591b35df33d24c		 pdf-font-stream PDF embedded font (sfnt) at offset 0x902D 4324 bytes
font_03_sfnt_off00009e2e.bin
5048ad52be8c716202be91ed9dfc2fc4b5bc5f52fa8ecbf13f12d545e5b920ce		 pdf-font-stream PDF embedded font (sfnt) at offset 0x9E2E 2896 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.