Malicious PDF — malware analysis report

Static analysis result for SHA-256 b7581b287d0855ce…

MALICIOUS

PDF

48.0 KB Created: 2020-08-31 07:43:47 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 922246de1da78bd4950bd17e5b0e7449 SHA-1: 42fc9d020147d0c6f1178a4685223f0da1e115d0 SHA-256: b7581b287d0855ce38ed5d504f57116e93debd8dc732ea697fe79a2c1d37d5a5
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF contains a lure promising free PlayStation Plus games, directing users to a malicious redirector URL. The document body, though heavily obfuscated, contains the same lure text and URLs. The PDF was identified as a malicious redirector and a link farm, indicating a phishing or scam attempt.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.cc/wix?keyword=download+the+same+ps+plus+game+on+two+ps4
    • https://static.usrfiles.com/ugd/de65f7_255e311cffed41ddabb6675837be3c0d.pdf
    • https://static.usrfiles.com/ugd/5ecadc_4bc92536f91d49db98bcf7a16be927e3.pdf
    • https://static.usrfiles.com/ugd/b8c837_66a6cfa2ee224b98bf7f8cd17310c0b4.pdf
    • https://static.usrfiles.com/ugd/1decf9_08ecab5bfaee4439a193447201b7ae76.pdf
    • https://static.usrfiles.com/ugd/7198c1_c7976ee2e4a44478a97b432d0a69840c.pdf
    • https://static.usrfiles.com/ugd/d78803_9929dbe5bfe34d3ebd6f7c13bd3fd88c.pdf
    • https://static.usrfiles.com/ugd/24853a_a4403339fd014b4ba85c46c9fbcae623.pdf
    • https://static.usrfiles.com/ugd/b8c837_1d50b7e52fc346ba9299f91c652bb6f6.pdf
    • https://static.usrfiles.com/ugd/b8c837_5efa5754b4034f06a5226a533c3911f5.pdf
    • https://static.usrfiles.com/ugd/6240f8_6d8f5b2fb60b4ff9969ed9387e39088b.pdf
    • https://static.usrfiles.com/ugd/b8c837_b1dd12f2921e4ba1bb4d86d1fff3773f.pdf
    • https://cdn.shopify.com/s/files/1/0434/3876/8284/files/kant_and_the_problem_of_metaphysics_heidegger.pdf
    • https://cdn.shopify.com/s/files/1/0433/8515/9838/files/grammar_lessons_for_middle_school.pdf
    • https://cdn.shopify.com/s/files/1/0432/9727/6064/files/destiny_crota_raid_guide.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00007a5e.bin
0ee0f58eb73bae39cb1ebf8e39c3663606e9262605e305561d513b6c88a0f582		 pdf-font-stream PDF embedded font (sfnt) at offset 0x7A5E 5456 bytes
font_01_sfnt_off00008ce3.bin
9dca1ec7f247de42db7942c4ad834cb6e9dd9903832a734b301d030eb9bd4182		 pdf-font-stream PDF embedded font (sfnt) at offset 0x8CE3 11088 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.