PDF malware analysis — malicious · ca4fd766d8eefee1

MALICIOUS

PDF

40.8 KB Created: 2020-09-20 06:52:30 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)

MD5: 72ea1432bd4e16b11cd7bf0fe44dcfd2 SHA-1: 2f93904868dd85c3769fe88437801cb4597223e4 SHA-256: ca4fd766d8eefee18db04470054f20d08fc7e708a1fbd222df6eda7ae50c53d9

120 Risk Score

Malware Insights

MITRE ATT&CK

T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF document contains a link to a redirector, which in turn leads to a site offering a 'Grand Theft Auto San Andreas mod apk free download'. This is a common lure for users seeking game modifications, likely to trick them into downloading malware. The document also features a large number of embedded links to other PDFs, suggesting a link farm for SEO manipulation or to distribute further malicious content.

Heuristics 3

PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK

PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM

Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://ttraff.me/wix?keyword=grand+theft+auto+san+andreas+mod+apk+free+download
- http://lexefes.livingsoulplete.com/uploads/1/3/1/6/131636725/woparifenuweti.pdf
- http://gapabip.jordanrowerva.com/uploads/1/3/0/8/130874218/tabasemabawek.pdf
- http://files.connoisseurstours.com/uploads/1/3/1/8/131857071/abaa266e7dc9a.pdf
- http://files.spiritfireshaman.com/uploads/1/3/2/7/132741382/lotizakisubanas-xutov-tijonopimubepal.pdf
- http://files.livingwellandsimply.com/uploads/1/3/1/3/131379832/a885aa504e7d0d.pdf
- http://meresu.chearsstudy.org/uploads/1/3/0/7/130776826/zixubozidukozo.pdf
- http://files.elrinteriors.com/uploads/1/3/0/9/130969231/tejamuroro.pdf
- https://bf9a4c19-2bf8-42b1-8354-69cef7c9b74d.filesusr.com/ugd/429b25_70c4aa6dee714051bf88b27990c1b148.pdf?index=true
- https://99987683-c395-4ee7-b9f4-2f5354ae5a7d.filesusr.com/ugd/0cd019_97b89ea72c7f4b49be7f9dd32c5f0325.pdf?index=true
- https://21d092bf-88a2-4c09-9f75-e90773912b77.filesusr.com/ugd/fedf23_9d2fd6bdefc341a5a03da8101b51ad03.pdf?index=true
- https://14722ec2-b422-48c8-98c8-20223e3b9c84.filesusr.com/ugd/9f69bd_7219029d734b40dc94d2eddd01c8bbd0.pdf?index=true
- https://182eaae6-4966-4e8e-a7e3-64a30c9370a6.filesusr.com/ugd/4d6844_0f3fa02302eb46ff9d854fdb75d7d909.pdf?index=true
- https://8ccb590f-78cc-43d3-b8ed-c1ee8ea5621d.filesusr.com/ugd/fac845_205b37ef002f483cb2ddaea69971fa04.pdf?index=true
- https://0a447efa-8022-402c-a3dd-327d472c8760.filesusr.com/ugd/4dbf3f_bd9ea39bc5c6431ba80810dc0e4b511e.pdf?index=true
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off0000603e.bin` `8124e55749313a8fc7a76376c9c60b0b350e715bfff49927d152f87d3ceccfda`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x603E	5468 bytes
`font_01_sfnt_off000072c2.bin` `d5ad62efc1d91d8da33d719bbda2c115342e4dd16d7b011424e5ba20754974bd`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x72C2	10244 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.