Malicious PDF — malware analysis report

Static analysis result for SHA-256 c41a25d21184e55e…

MALICIOUS

PDF

44.8 KB Created: 2020-09-17 00:56:40 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 3e0bc7fdf8ae238a59d11e02a4aeace4 SHA-1: b359d18c7f465b6647a2492e43a3f478df4f6f60 SHA-256: c41a25d21184e55efa0f12ba6b1a29e1a93bfdf432947047784103225d777e5a
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF file contains a significant number of embedded links, many of which point to known malicious redirector infrastructure or are part of a link farm. The document body, though heavily obfuscated, contains text that appears to be a lure related to 'American sniper script pdf' and includes URLs that are likely intended to lead the user to malicious content. The presence of a malicious redirector link is a strong indicator of malicious intent.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.me/wix?keyword=american+sniper+script+pdf
    • http://files.alissabethphoto.com/uploads/1/3/1/6/131636890/buwajatewiw.pdf
    • http://files.ericaamatori.com/uploads/1/3/2/7/132740413/niwejilamubute.pdf
    • http://files.fasnfamilynetwork.org/uploads/1/3/2/6/132681769/3296541.pdf
    • http://fapifikof.nourishedpath.net/uploads/1/3/0/8/130874276/vedemabibogo.pdf
    • https://cdn.shopify.com/s/files/1/0429/8326/0314/files/wibetexulusuv.pdf
    • https://4489898e-db10-4c94-af07-9e1611b4424c.filesusr.com/ugd/2d1648_f9ac9a966fad472bbd50562227e86231.pdf?index=true
    • https://5da858ef-2263-45cc-94fa-550d4cb105bd.filesusr.com/ugd/eb6c48_af2dbb8a818443bd917d8d5dc1bff374.pdf?index=true
    • https://73ae9a4d-3a7e-4c9f-9a26-0902c9594636.filesusr.com/ugd/d162e3_a8d432b3594e4dc2b17d4d21dd330e75.pdf?index=true
    • https://7c899d32-e29d-4b37-a1c8-c9d41de10db3.filesusr.com/ugd/3835dd_cceab124c1d74678828edaccbaddc884.pdf?index=true
    • https://b5f7f852-8ffe-43f9-bcd6-10b445510780.filesusr.com/ugd/585b1d_0f06c35dfa274acc8ba14aea1d102f2c.pdf?index=true
    • https://3ffb5109-9bfa-4b6d-bf40-7a88141a0b00.filesusr.com/ugd/1be480_252da6b54c38488fa41b292b7e17f48f.pdf?index=true
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00007187.bin
4875c785dfde76de60f7f08dd394031c64edab9e1ed094f26a81c1fc31f5b91e		 pdf-font-stream PDF embedded font (sfnt) at offset 0x7187 5260 bytes
font_01_sfnt_off00008351.bin
e01effc4397b62d0a3d57c90852505dfc758242c9dae01386e5abf91d3d048b9		 pdf-font-stream PDF embedded font (sfnt) at offset 0x8351 10396 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.