Malicious PDF — malware analysis report

Static analysis result for SHA-256 cae2da845ac1e68e…

MALICIOUS

PDF

48.6 KB Created: 2020-09-06 09:32:03 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 71b07189742bfc64b465fe6d89d0e7d9 SHA-1: 4787e60ccddb8afd1cebda7b57331646e9c7d82b SHA-256: cae2da845ac1e68ecf7f936a1e3292c0b48660d9f79d8660d83ea325ff066ba9
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF file contains numerous embedded links, with one specifically identified as a malicious redirector. The document body, though heavily obfuscated, contains text that appears to be a lure related to 'bodyguard movie video songs 1080p', likely intended to entice users to click the malicious link. The presence of a link farm further suggests an attempt to manipulate search engine results or distribute malicious content.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.me/wix?keyword=bodyguard+movie+video+songs+1080p
    • http://cinurl.com/15rof7
    • https://static.usrfiles.com/ugd/b8c837_f9e1d09f19614707b9afe083cfef4409.pdf
    • https://static.usrfiles.com/ugd/d93890_557d095b28f64f5dad500feac8ceb151.pdf
    • https://static.usrfiles.com/ugd/c345b0_515c6f22c3de4635b33a43405b14b922.pdf
    • https://static.usrfiles.com/ugd/418e76_60fac3df31b247cbb182283d2a2e9994.pdf
    • https://static.usrfiles.com/ugd/917232_204609042e814d8d84db2ce53d282060.pdf
    • https://static.usrfiles.com/ugd/0af078_ffb3e6969d3a41c48885d23ae88987ca.pdf
    • https://static.usrfiles.com/ugd/078c79_8155ce3f948141e5819f3e38fceb3a14.pdf
    • https://static.usrfiles.com/ugd/837d34_60d07ad4fa884e9383a6cbae6a38bbd7.pdf
    • https://cdn.shopify.com/s/files/1/0433/0687/7080/files/lubogalevomiwubojaxijafax.pdf
    • https://cdn.shopify.com/s/files/1/0432/7899/1520/files/85412856137.pdf
    • https://static.usrfiles.com/ugd/40b9e6_e4e438be26074c218aa697ad5cec8edd.pdf
    • https://static.usrfiles.com/ugd/b8c837_825bd7d1a2074e9fba7e7e164ce6d92f.pdf
    • https://static.usrfiles.com/ugd/83f04e_05f2fe28b26c4e19a9902f6d49b41f70.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000620e.bin
c46fdfcba25f78d7bf656e06f5713ed674daf351b71f325c2a4bc29eca934403		 pdf-font-stream PDF embedded font (sfnt) at offset 0x620E 5848 bytes
font_01_sfnt_off000075f0.bin
439369814e897ddf4446fc64ad245d5caca9362ebafbe69dbe2093f2fb60a114		 pdf-font-stream PDF embedded font (sfnt) at offset 0x75F0 13272 bytes
font_02_sfnt_off0000a05b.bin
e9fe716c2abc985b12a899a49d5539e4e8be1b56d50c083b30290d85a2a7c848		 pdf-font-stream PDF embedded font (sfnt) at offset 0xA05B 16092 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.