Malicious PDF — malware analysis report

Static analysis result for SHA-256 b2a5667b87bca739…

MALICIOUS

PDF

59.1 KB Created: 2020-09-17 17:49:44 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 112113f85a16df85668efb40fb80e797 SHA-1: cf1e6d88cd9fe65820e5d4b264348bba062dd4ac SHA-256: b2a5667b87bca739a11d5b1f31ce284578162c54f43f38eca75e0fc0e8b001e6
128 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF contains a critical heuristic firing for a malicious redirector link, pointing to a URL that promises a 'gta 2 android apk download'. The document body also contains this URL and a large number of other PDF links, many hosted on cdn.shopify.com, suggesting a link farm or SEO poisoning tactic. The presence of a 'download button' heuristic further supports the lure of downloading a file. The primary malicious URL is ttraff.me.

Heuristics 4

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTON
    Document contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.me/wix?keyword=gta+2+android+apk+download+playstation
    • http://judojaz.nicole-phillips.com/uploads/1/3/1/4/131437626/d79fcdf54f.pdf
    • http://xowilezo.scottwbrooks.com/uploads/1/3/0/7/130740073/paroluponawub_kewoz_pipirake.pdf
    • http://files.fbtvmin.net/uploads/1/3/2/6/132681773/4948198.pdf
    • https://cdn.shopify.com/s/files/1/0439/7082/2302/files/solution_manual_for_artificial_intelligence_by_rich_and_knight.pdf
    • https://cdn.shopify.com/s/files/1/0431/5011/4978/files/jemedogafaxonukijunad.pdf
    • https://cdn.shopify.com/s/files/1/0437/6828/3287/files/nevijasimiwedizivu.pdf
    • https://cdn.shopify.com/s/files/1/0434/8438/1350/files/dan_brown_inferno.pdf
    • https://cdn.shopify.com/s/files/1/0430/3942/4665/files/22969769244.pdf
    • https://8bd70898-c9a4-4197-b64a-e6592a58cd96.filesusr.com/ugd/8c0e65_97c63ad1ef6b4edb9cf80518d0ea2ced.pdf?index=true
    • https://6b1c1404-0863-4c3f-b3bd-7082b1e290d9.filesusr.com/ugd/8a9bcc_93b68a5e298b48d0acde1f3b44b849dd.pdf?index=true
    • https://eec1d889-bf61-4be7-856c-d2a9fc091142.filesusr.com/ugd/f95141_e17e20c50b7d4025b5894e5ef722c2ed.pdf?index=true
    • https://d16315e6-5beb-4ebc-bd5f-6c8d0a8fa278.filesusr.com/ugd/d5d855_f0b2cf2038ab4c22a518379b935f6457.pdf?index=true
    • https://41858015-bbdf-4c0a-8072-68fc10611566.filesusr.com/ugd/23a6c3_2d2b2fd822fc4e24b6c4ad0af45d6f8a.pdf?index=true
    • https://707a56b9-5524-4731-b788-df1c82798dca.filesusr.com/ugd/d61b30_b5b15472b87a4c93a31fc29ae21e3489.pdf?index=true
    • https://4c002c45-1d2f-4938-be17-ee1621bd0760.filesusr.com/ugd/7a11b0_156a7fdfc8a54e3abfcb07c2d057f8b8.pdf?index=true
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 4

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00007a76.bin
1f704321da6c9533394e3daca62f4c9b2d8e087e2f11655debdc550516026f40		 pdf-font-stream PDF embedded font (sfnt) at offset 0x7A76 3012 bytes
font_01_sfnt_off0000853e.bin
48646943f4070fd8c252c350b34ce0956cdaf3461dfc81b2d179ff19a687f2d9		 pdf-font-stream PDF embedded font (sfnt) at offset 0x853E 5376 bytes
font_02_sfnt_off000097b8.bin
6fcf387f212335902b054e4c51fb0381ae8eec74af18eb752e69ef6427b0d935		 pdf-font-stream PDF embedded font (sfnt) at offset 0x97B8 12876 bytes
font_03_sfnt_off0000c129.bin
284786b0b167a0dc553e091482279f6cab3a7bbf8e9cb7c4e7eaa6c43a43c8a3		 pdf-font-stream PDF embedded font (sfnt) at offset 0xC129 19180 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.