Malicious PDF — malware analysis report

Static analysis result for SHA-256 b57bbe9573a4cfd5…

MALICIOUS

PDF

70.3 KB Created: 2020-09-17 22:49:54 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 6446f32bd1462436c64dca1c53b40b2b SHA-1: 5d4b817774eee202d51761566a116c021cea6c9f SHA-256: b57bbe9573a4cfd5370156ce63461f5b493e5615d428d98f9515cbd5d84d1f15
188 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell T1204.002 Malicious Link

The PDF file contains a critical heuristic indicating it's a malicious redirector, pointing to a URL designed to lure users with a 'prodigy hack generator' theme. It also exhibits characteristics of a fake CAPTCHA or human verification prompt, further reinforcing the social engineering aspect. The presence of numerous embedded links, many leading to external PDFs, suggests a link farm designed for SEO manipulation to attract victims. The document body, though heavily obfuscated, contains the malicious URL.

Heuristics 6

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Fake CAPTCHA / human verification prompt high SE_FAKE_CAPTCHA
    Document displays a fake CAPTCHA or human-verification prompt — used to trick users into running commands or pressing keyboard shortcuts
  • QR-code redirect lure medium SE_QR_LURE
    Document instructs the user to scan a QR code with a phone — consistent with QR phishing, but also common in legitimate documents
  • Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTON
    Document contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.link/wix?keyword=prodigy+hack+generator+no+human+verification
    • http://files.wbyu.net/uploads/1/3/1/3/131379290/wuwumiwa_sewokab.pdf
    • http://files.cninc.org/uploads/1/3/2/7/132740479/5324237.pdf
    • http://files.hawaiistylecheer.com/uploads/1/3/1/3/131379014/judadebinetuzi-zotedusemuku-ziwusonevedaxen.pdf
    • http://ramivulux.crossfitparsons.com/uploads/1/3/1/0/131070674/1141443.pdf
    • http://files.hawaiistylecheer.com/uploads/1/3/1/3/131379014/judadebinetuzi-zotedusemuku-zi
    • https://cdn.shopify.com/s/files/1/0433/9944/6693/files/29804174488.pdf
    • https://cdn.shopify.com/s/files/1/0477/2580/5724/files/microsoft_access_templates_2018.pdf
    • https://cdn.shopify.com/s/files/1/0432/2279/4395/files/240409660.pdf
    • https://75b35160-dea0-464e-8dd0-b1e95085fadc.filesusr.com/ugd/54bec1_3b21d1d17378497c947fdb89c7be3ebd.pdf?index=true
    • https://c7fd87de-df1b-42f2-bdec-4bbdc54ce438.filesusr.com/ugd/b1b3ad_35f6b3aa634e4eb180b10179004c4193.pdf?index=true
    • https://9f605a69-0b6c-404b-84ce-9e4ceecfd7c7.filesusr.com/ugd/7c1f05_7d9a410b67be4bf7b351377c16febaa4.pdf?index=true
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000c378.bin
3d4760ca295192c89086870ebbac49c5a5945404ea6ab57fca452cf2db5f569a		 pdf-font-stream PDF embedded font (sfnt) at offset 0xC378 6440 bytes
font_01_sfnt_off0000d36c.bin
f280da116d7d21668e725040f6f8200c8802c1a76104c0b8da354a061d9efb07		 pdf-font-stream PDF embedded font (sfnt) at offset 0xD36C 5452 bytes
font_02_sfnt_off0000e5e0.bin
6f322150527c583e8cebc772229c001b1712dd9f62481576f9a8740868657551		 pdf-font-stream PDF embedded font (sfnt) at offset 0xE5E0 11148 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.