Malicious PDF — malware analysis report

Static analysis result for SHA-256 ad3ab2eb5df0d210…

MALICIOUS

PDF

42.6 KB Created: 2020-08-25 08:01:49 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 8a9106caba490e9337f2da6293d709a5 SHA-1: 07d3dd1cf4f44650f8bad5aa70438789f6e2abf9 SHA-256: ad3ab2eb5df0d210da5db0ab8e6a1897c3a2fae20374e48606bf43566ac6672e
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF contains a link that redirects to a malicious domain, disguised as a California state lottery claim form. This is further supported by heuristics indicating a malicious redirector link and a PDF link farm. The document body, though heavily corrupted, contains text related to the lottery claim form and the redirect URL, reinforcing the phishing lure.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.com/pify?keyword=california+state+lottery+claim+form
    • http://files.jorgemolinaart.com/uploads/1/3/1/4/131438071/jagewipe.pdf
    • http://files.oszkayconstructioninc.com/uploads/1/3/0/7/130739837/wuwuludun.pdf
    • http://files.light-sup.com/uploads/1/3/2/6/132681002/lolonegesositub.pdf
    • http://files.julietzanniceramics.com/uploads/1/3/1/3/131380342/f98d5b2.pdf
    • http://givovudu.quietlyjudging.com/uploads/1/3/1/4/131436967/sumironese.pdf
    • https://cdn.shopify.com/s/files/1/0436/8033/3989/files/44260783958.pdf
    • https://cdn.shopify.com/s/files/1/0433/9613/7111/files/mipexavagexideg.pdf
    • https://cdn.shopify.com/s/files/1/0447/8582/7991/files/tipos_de_lodos_activados.pdf
    • https://cdn.shopify.com/s/files/1/0433/0127/3758/files/80802418616.pdf
    • https://cdn.shopify.com/s/files/1/0436/0595/0626/files/34980224886.pdf
    • https://cdn.shopify.com/s/files/1/0430/8631/5671/files/bendy_ink_machine_free.pdf
    • https://cdn.shopify.com/s/files/1/0461/1846/9796/files/betiya_betiya_full_video_song_free.pdf
    • https://cdn.shopify.com/s/files/1/0440/8924/5861/files/rusesunar.pdf
    • https://cdn.shopify.com/s/files/1/0430/6056/0021/files/74058566625.pdf
    • https://cdn.shopify.com/s/files/1/0434/6360/6429/files/85828371546.pdf
    • https://cdn.shopify.com/s/files/1/0439/1793/4747/files/jelamezeg.pdf
    • https://cdn.shopify.com/s/files/1/0433/8984/5671/files/why_did_you_choose_accounting_career_answers.pdf
    • https://cdn.shopify.com/s/files/1/0431/9281/1669/files/elemental_shaman_7._2.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000691a.bin
c86dadd823490a91fac3313845674e9e899e607f5ba0a7ef761ea9a08325d9d0		 pdf-font-stream PDF embedded font (sfnt) at offset 0x691A 5032 bytes
font_01_sfnt_off00007a27.bin
2fd8db8499768e5785f75b7404cdcf51f2ebd54e520f15b80083865d831c4aae		 pdf-font-stream PDF embedded font (sfnt) at offset 0x7A27 10244 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.