Malicious PDF — malware analysis report

Static analysis result for SHA-256 c27a7409d8c55b43…

MALICIOUS

PDF

32.7 KB Created: 2020-08-02 13:33:36 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 59df74761df74a98d9c38a1a7589770b SHA-1: 6639ab8cd33c2a4e26216b5299ff3d7930524ee4 SHA-256: c27a7409d8c55b4366cc3d3f23bcfa80d74e010bbb0b1d6777fc23c60eb0414d
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF contains a heuristic firing for a malicious redirector link, which points to a URL designed to facilitate the download of ROMs. The document body also contains a similar URL, reinforcing the lure. The PDF also contains a large number of embedded links, many of which point to Shopify domains hosting PDF files, suggesting a link farm for SEO manipulation or to obscure the malicious redirector.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.cc/pify?keyword=pokemon+white+2+rom+download
    • http://files.corningfootball.org/uploads/1/3/1/6/131606169/2719968.pdf
    • http://files.bettysmakingmusic.com/uploads/1/3/1/3/131383823/0ac7579b2c662.pdf
    • http://files.hallielee.com/uploads/1/3/2/8/132815961/5788720.pdf
    • https://cdn.shopify.com/s/files/1/0431/0718/8898/files/fewedemalidefoda.pdf
    • https://cdn.shopify.com/s/files/1/0436/2331/7662/files/xofiwawawezugu.pdf
    • https://cdn.shopify.com/s/files/1/0431/1239/9009/files/harry_potter_novel.pdf
    • https://cdn.shopify.com/s/files/1/0433/4062/8120/files/14803967160.pdf
    • https://cdn.shopify.com/s/files/1/0428/4920/6439/files/97924172302.pdf
    • https://cdn.shopify.com/s/files/1/0432/4347/1003/files/65289781706.pdf
    • https://cdn.shopify.com/s/files/1/0429/1405/4300/files/44574662365.pdf
    • https://cdn.shopify.com/s/files/1/0439/3720/2344/files/wajufafo.pdf
    • https://cdn.shopify.com/s/files/1/0445/4517/9807/files/4chan_get_script.pdf
    • https://cdn.shopify.com/s/files/1/0438/1681/2706/files/kibejaba.pdf
    • https://cdn.shopify.com/s/files/1/0439/1193/8216/files/savogujikuvirejiduni.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000043fd.bin
d52db37ef84cf359e9a6450be40ea0c6612d00486845da13be7b3014426fa62c		 pdf-font-stream PDF embedded font (sfnt) at offset 0x43FD 5176 bytes
font_01_sfnt_off0000557e.bin
7c2380e5e1f49b3298a43134cd0023d05e4cbfcc265dcc22ee4a1d27f858e2c3		 pdf-font-stream PDF embedded font (sfnt) at offset 0x557E 9608 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.