Malicious PDF — malware analysis report

Static analysis result for SHA-256 b9a07e29f0fb9756…

MALICIOUS

PDF

66.8 KB Created: 2020-09-04 11:37:32 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 8286815baa56c7f3b1063ac3b93e580c SHA-1: e95f2cda3c3bb51840413785e610fe6d399dead7 SHA-256: b9a07e29f0fb97560fd62b0f45a8e6baca8ffc7f622185ecb4c125a43d2e5dc8
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF file contains a link farm and a specific redirector URL disguised as a lure for 'Bollywood video songs in mkv format'. The primary heuristic indicates this redirector points to known malicious infrastructure. The document body, though heavily obfuscated, contains the same lure text and URLs. The file is likely intended to redirect users to a malicious site for further exploitation or credential harvesting.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.link/wix?keyword=bollywood+video+songs++in+mkv+format
    • https://static.usrfiles.com/ugd/b8c837_935f39ae9fc64dfdafd45904ef9bd08c.pdf
    • https://static.usrfiles.com/ugd/5ea4d5_9944268213fd4e9bb9d15dc891f2c6b9.pdf
    • https://static.usrfiles.com/ugd/73c254_ee115b160626437e99aaa9c9d342cba4.pdf
    • https://static.usrfiles.com/ugd/ee6770_153c966c36d2420697c118b4e50c375e.pdf
    • https://static.usrfiles.com/ugd/e1d58f_2884e4835b7842bf994e96fd817ebed0.pdf
    • https://static.usrfiles.com/ugd/b8c837_0e81fd44c89242d781c1bddc7448a2a8.pdf
    • https://static.usrfiles.com/ugd/6f7357_96876c753724469685e2e53d8eb1eb06.pdf
    • https://static.usrfiles.com/ugd/4826f5_10b1be8d226545b7894181dd37f49ba2.pdf
    • https://static.usrfiles.com/ugd/694d5d_21384456f2c444c7b6ea3d0a39577edb.pdf
    • https://static.usrfiles.com/ugd/516793_33bdd4c26d95406c9c4ee1db4eb61cb7.pdf
    • https://cdn.shopify.com/s/files/1/0437/2047/4779/files/atharva_veda_in_marathi_free_download.pdf
    • https://cdn.shopify.com/s/files/1/0428/9835/8432/files/1204107997.pdf
    • https://cdn.shopify.com/s/files/1/0431/4493/7623/files/bedurimabonukegejim.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000b94b.bin
a88d8bf2ff7a464538ae0f3cb3af8ade6d000375871feb65e703ca88aafafa92		 pdf-font-stream PDF embedded font (sfnt) at offset 0xB94B 5596 bytes
font_01_sfnt_off0000cc69.bin
ba959b6729889dce3651553447fad5f1a41b4dee41e52f8250e9fbd14afb3dac		 pdf-font-stream PDF embedded font (sfnt) at offset 0xCC69 15592 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.