Malicious PDF — malware analysis report

Static analysis result for SHA-256 c59aa8744af745b2…

MALICIOUS

PDF

47.5 KB Created: 2020-08-31 09:19:07 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 3b79efe92fc5158390895e62531d75c3 SHA-1: 9c9826c3a6e8553386da0824cd70079e340e3959 SHA-256: c59aa8744af745b2a74c7f43345140eeeaa279883640a88454c956ce02b40d27
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.001 User Execution: Malicious Link T1059.001 PowerShell

The PDF contains a prominent link that, when clicked, redirects to a malicious URL. The document body, though heavily obfuscated, contains the text 'Blink 182 free mp3 download' and the malicious URL itself, indicating a lure for users seeking free content. The PDF also contains a large number of external links, suggesting a link farm or redirection strategy.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.cc/wix?keyword=blink+182+free+mp3+download
    • https://cdn.shopify.com/s/files/1/0431/2160/6817/files/nevikoluguzawedopavegu.pdf
    • https://cdn.shopify.com/s/files/1/0429/9977/5381/files/narujavotekofiguvin.pdf
    • https://cdn.shopify.com/s/files/1/0428/9354/1532/files/sedarutewimo.pdf
    • https://cdn.shopify.com/s/files/1/0433/5403/0231/files/batabenijuzevad.pdf
    • https://static.usrfiles.com/ugd/9b5f63_89517231a45f48039b992f925632a83c.pdf
    • https://static.usrfiles.com/ugd/8de238_a2966ca2b70742eaac411a7c3365bc41.pdf
    • https://static.usrfiles.com/ugd/1b8612_591024f2868944dcb8010e3466a8552c.pdf
    • https://static.usrfiles.com/ugd/345929_a849c7f5cdcc4ba4834bfa987370f2e0.pdf
    • https://static.usrfiles.com/ugd/b8c837_d667486735de4c35b8a8b58a211e07ee.pdf
    • https://cdn.shopify.com/s/files/1/0448/0358/8258/files/apes_frq_2018_scoring_guidelines.pdf
    • https://cdn.shopify.com/s/files/1/0432/8197/3403/files/play_store_apps_pending_problem.pdf
    • https://cdn.shopify.com/s/files/1/0430/4021/1097/files/27517460792.pdf
    • https://static.usrfiles.com/ugd/ca32a8_b2b8a6634778447ebb8e59d19d59d312.pdf
    • https://static.usrfiles.com/ugd/0dcf4b_ddb77d843a1f42729aa665e49ab28058.pdf
    • https://static.usrfiles.com/ugd/b8c837_16e7d89d06c64bd5ab6d66e6ba37cc17.pdf
    • https://static.usrfiles.com/ugd/97493d_107456dddaa64deea71ff56ce4368048.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000078da.bin
961e66bf34ce95db46f81222d5a9b0123bb3ea9ebaa00e6777c1ac24f5eb477b		 pdf-font-stream PDF embedded font (sfnt) at offset 0x78DA 5756 bytes
font_01_sfnt_off00008c68.bin
49c310e7f9e43ec64d4f2dfa5403d99d6c698440f03ddb8f93e6d28a18dd4a20		 pdf-font-stream PDF embedded font (sfnt) at offset 0x8C68 10644 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.