Malicious PDF — malware analysis report

Static analysis result for SHA-256 ab08c8a637af91f6…

MALICIOUS

PDF

50.5 KB Created: 2020-08-01 07:02:57 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 5bfdc3e30881f8dd6d965fb6529d6c6e SHA-1: 37aee3bea4236cffd2ab1f0785522cd368f50176 SHA-256: ab08c8a637af91f6cf9e2429229fcc8c2d446abeab26698dae21f6ae0c707ee6
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF contains a critical heuristic firing for a malicious redirector link, pointing to a URL that uses a game cheat keyword as a lure. This link is intended to redirect users to malicious infrastructure. The document also contains a large number of embedded links, many hosted on cdn.shopify.com, which is flagged as a link farm. The presence of these links suggests a phishing or social engineering attack.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.com/pify?keyword=gta+5+weapons+cheat
    • http://files.prairieflora.com/uploads/1/3/0/7/130738993/8387322.pdf
    • http://files.muchzeal.com/uploads/1/3/0/7/130776037/buxajege-zajeti-nesisotew-vemopefuwaxiz.pdf
    • http://files.inkfishltd.co.uk/uploads/1/3/0/7/130776368/faxorufedalakat_kugonadike.pdf
    • http://files.chaunceyrasmussen.com/uploads/1/3/0/8/130814596/buwad_pivukaza_rinobogefanel_wakarazijexa.pdf
    • http://files.bellavitatileoverstock.com/uploads/1/3/2/7/132740905/cfe78df64ff3f.pdf
    • https://cdn.shopify.com/s/files/1/0437/9069/6597/files/jivizalemuzeke.pdf
    • https://cdn.shopify.com/s/files/1/0438/2982/1602/files/wepafukubarojojijar.pdf
    • https://cdn.shopify.com/s/files/1/0432/1135/8372/files/78568215498.pdf
    • https://cdn.shopify.com/s/files/1/0433/6526/9669/files/59498784635.pdf
    • https://cdn.shopify.com/s/files/1/0440/7951/3752/files/17914248296.pdf
    • https://cdn.shopify.com/s/files/1/0427/9602/3975/files/54485987379.pdf
    • https://cdn.shopify.com/s/files/1/0432/6447/5304/files/70082508468.pdf
    • https://cdn.shopify.com/s/files/1/0438/4551/7469/files/50605550645.pdf
    • https://cdn.shopify.com/s/files/1/0435/4437/9546/files/puwanixotomog.pdf
    • https://cdn.shopify.com/s/files/1/0427/5427/7532/files/56227521716.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00008791.bin
b798002ce6ad4edb4e2978a49de61c9895d4af431074dd664d0a2c02f8efa43e		 pdf-font-stream PDF embedded font (sfnt) at offset 0x8791 5140 bytes
font_01_sfnt_off0000992a.bin
7720ea119e4c035bdd429c5bcc37548b67ea2a2ef436696334054ae43f207f44		 pdf-font-stream PDF embedded font (sfnt) at offset 0x992A 10684 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.