Malicious PDF — malware analysis report

Static analysis result for SHA-256 c8cfcf411cd4bb0f…

MALICIOUS

PDF

36.6 KB Created: 2020-09-06 11:55:34 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: feab643f682939320a0a16e65d5888b2 SHA-1: 28a0e2339f8778146e67d7472163b40e5add0abc SHA-256: c8cfcf411cd4bb0fae4308f5ade02500174c7c7a5cf2b8ed1f62ed55db2ff3bc
128 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF file contains a malicious redirector link, identified by the PDF_MALICIOUS_REDIRECTOR_LINK heuristic. It also features a visual download button lure, suggesting a social engineering attempt to trick the user into clicking the link. The document body, though heavily obfuscated, contains the malicious URL, reinforcing the attack pattern. No scripts were extracted from this sample.

Heuristics 4

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTON
    Document contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.me/wix?keyword=bombay+tamil+movie++kuttyweb
    • https://static.usrfiles.com/ugd/d9d1f5_83fef858f9bf452e93be136651c20817.pdf
    • https://static.usrfiles.com/ugd/5926b4_9b6f64dcb73c4968a87e96890a6df9e8.pdf
    • https://static.usrfiles.com/ugd/ab059d_9af67e417df348e4b927e20b7f6fdcc7.pdf
    • https://cdn.shopify.com/s/files/1/0440/5601/9109/files/kosemevelokaj.pdf
    • https://cdn.shopify.com/s/files/1/0430/1615/9385/files/bus_game_2017.pdf
    • https://cdn.shopify.com/s/files/1/0427/7954/1671/files/ruvojixonubo.pdf
    • https://cdn.shopify.com/s/files/1/0432/6516/3422/files/26582877560.pdf
    • https://cdn.shopify.com/s/files/1/0429/1543/0553/files/reshape_numpy_array.pdf
    • https://static.usrfiles.com/ugd/0dd040_321123fba88848c99fe54d5e154c49bd.pdf
    • https://static.usrfiles.com/ugd/1f2646_588fb26797be44be85c175496b7d87e5.pdf
    • https://static.usrfiles.com/ugd/5438e3_f65ee19e429147aa9dc6c77209879eb7.pdf
    • https://cdn.shopify.com/s/files/1/0428/7227/5103/files/69742761303.pdf
    • https://cdn.shopify.com/s/files/1/0429/9315/6259/files/74614258438.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000050f9.bin
20b52d6757208c4533435f62032b4c1813e27c9bdf2af63d70d5f4932caa48b5		 pdf-font-stream PDF embedded font (sfnt) at offset 0x50F9 5064 bytes
font_01_sfnt_off0000623f.bin
78b4e9b18d684fa08802abd5377ac396ca326693e7490d91ac4fc0931faa9111		 pdf-font-stream PDF embedded font (sfnt) at offset 0x623F 10504 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.