Malicious PDF — malware analysis report

Static analysis result for SHA-256 a969a64275f48288…

MALICIOUS

PDF

47.2 KB Created: 2020-08-17 17:45:22 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 7edea7fd052a5fd625f7e4998bc548a1 SHA-1: 70296a4db3642700d839940d009840c62c45d43f SHA-256: a969a64275f48288644bde32603dde053ebd86920305b1b6b52a82c71c6e05e9
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell T1204.002 Malicious Link

The PDF file contains multiple embedded links, with one identified as a malicious redirector. The document body, though heavily obfuscated, contains text related to 'Attack on Titan game ipad' and a URL that points to a redirector. This suggests a social engineering attempt to direct users to malicious content. No scripts were extracted, limiting the analysis of direct payload execution.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.ru/pify?keyword=attack+on+titan+game++ipad
    • http://puwasus.idfva.org/uploads/1/3/0/7/130775805/rikijusej.pdf
    • https://cdn.shopify.com/s/files/1/0436/0772/0094/files/dugemaduwerovu.pdf
    • https://cdn.shopify.com/s/files/1/0452/4458/0002/files/att_uverse_packages.pdf
    • https://cdn.shopify.com/s/files/1/0430/9496/6436/files/naradotemunago.pdf
    • https://cdn.shopify.com/s/files/1/0428/9835/8432/files/pujofupokutesigitugut.pdf
    • https://cdn.shopify.com/s/files/1/0438/4056/9494/files/30991452606.pdf
    • https://cdn.shopify.com/s/files/1/0430/2084/5210/files/lith_medical_term.pdf
    • https://cdn.shopify.com/s/files/1/0434/9480/1568/files/15567318693.pdf
    • https://cdn.shopify.com/s/files/1/0438/1242/1789/files/ganpati_stotra_in_marathi.pdf
    • https://cdn.shopify.com/s/files/1/0432/3826/0899/files/60838919600.pdf
    • https://cdn.shopify.com/s/files/1/0434/3080/5671/files/ragemujof.pdf
    • https://cdn.shopify.com/s/files/1/0439/8707/5230/files/roomba_650_manual.pdf
    • https://cdn.shopify.com/s/files/1/0429/2011/6387/files/74127739749.pdf
    • https://cdn.shopify.com/s/files/1/0428/9835/8432/files/koxumugude.pdf
    • https://cdn.shopify.com/s/files/1/0430/1750/2869/files/36576029801.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00006521.bin
d1b2333c13ab65415b55dfc3e3445eb90c43ab52f8f87a759e08d5a7a0d2a8ab		 pdf-font-stream PDF embedded font (sfnt) at offset 0x6521 5140 bytes
font_01_sfnt_off00007689.bin
904020d3584902f27f7874975bcfcfc6949301ff10813758c98a4c2a9e623ae6		 pdf-font-stream PDF embedded font (sfnt) at offset 0x7689 10632 bytes
font_02_sfnt_off00009b0c.bin
956bd9f88d2002ae4d8912728d8614d0a8e21194bf5b6a01accc3d37d7402fbf		 pdf-font-stream PDF embedded font (sfnt) at offset 0x9B0C 16092 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.