Malicious PDF — malware analysis report

Static analysis result for SHA-256 c173dc130693297d…

MALICIOUS

PDF

43.2 KB Created: 2020-08-24 22:06:04 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 25fe19a228595ef370e32b377a89d953 SHA-1: ce8a6a0cab91b3d0c96206572789e54f4bf70f92 SHA-256: c173dc130693297dc7d9ee75603634d0734637f0f3cd55ab4e8faeaf6d2aef61
130 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF file contains a prominent link that redirects to a malicious URL, masquerading as a download for cracked software. This is further supported by heuristics indicating a malicious redirector and a link farm designed to attract users. The document body explicitly mentions 'Hotstar cracked apk onhax' and includes the malicious URL, reinforcing the social engineering lure.

Heuristics 4

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTON
    Document contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.com/pify?keyword=hotstar+cracked+apk+onhax
    • http://files.ppesafetycompliance.com/uploads/1/3/1/3/131379948/9991122.pdf
    • http://taxed.julytwentytwo.com/uploads/1/3/2/6/132681556/wolezodavesep-zamemumapol-sevet.pdf
    • http://kavipijud.gottfried-schweiger.org/uploads/1/3/0/8/130814328/4d76d.pdf
    • https://cdn.shopify.com/s/files/1/0432/6552/3870/files/gamenej.pdf
    • https://cdn.shopify.com/s/files/1/0430/4856/6938/files/bimizorokegarusapalavobad.pdf
    • https://cdn.shopify.com/s/files/1/0434/8873/9494/files/pebadov.pdf
    • https://cdn.shopify.com/s/files/1/0430/4293/0842/files/29869538466.pdf
    • https://cdn.shopify.com/s/files/1/0429/5668/5468/files/69247008753.pdf
    • https://cdn.shopify.com/s/files/1/0436/4235/5865/files/11162931339.pdf
    • https://cdn.shopify.com/s/files/1/0433/2843/8427/files/6010450677.pdf
    • https://cdn.shopify.com/s/files/1/0433/5622/5694/files/47872094298.pdf
    • https://cdn.shopify.com/s/files/1/0438/2582/3906/files/bigaxonujox.pdf
    • https://cdn.shopify.com/s/files/1/0428/4956/6886/files/timipubilubi.pdf
    • https://cdn.shopify.com/s/files/1/0430/9814/4932/files/wevowidibopawadi.pdf
    • https://cdn.shopify.com/s/files/1/0433/6363/1272/files/falefonoresokake.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00006a48.bin
74116d2d2910c8d966bc1f65fdfa9d7fa74e691a505550bff6b0410e85055fe8		 pdf-font-stream PDF embedded font (sfnt) at offset 0x6A48 5220 bytes
font_01_sfnt_off00007bfd.bin
27263600835c1e27b053cabac8719d02515b57872fbced0550ad737ac222703d		 pdf-font-stream PDF embedded font (sfnt) at offset 0x7BFD 10580 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.