Malicious PDF — malware analysis report

Static analysis result for SHA-256 cf15a298d610985a…

MALICIOUS

PDF

36.6 KB Created: 2020-08-25 07:46:54 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: ff738fa5357e3b0ac6164fc05822c27f SHA-1: 131e3c1ef0333780b8fad19e1a4b37ee8c5678c2 SHA-256: cf15a298d610985a34790d89f92bb6edb0eab6ae7649307af89f780ebfd30d69
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF file contains a link that redirects to a known malicious infrastructure, identified by the 'PDF_MALICIOUS_REDIRECTOR_LINK' heuristic. The document body also contains the text 'Old betking app' and the malicious URL, suggesting a lure to a potentially fraudulent or malicious application. The presence of a large number of external PDF links, as flagged by 'PDF_SEO_LINK_FARM', further indicates a link farm or spamming activity.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.ru/pify?keyword=old+betking+app
    • http://files.shinnbros.com/uploads/1/3/1/4/131453998/pujizokiv-rojixefonam-dinukasuzatab.pdf
    • http://butibete.stillherethinkingofyou.com/uploads/1/3/2/7/132741194/1261516.pdf
    • http://mufamijob.mrspeed.co.uk/uploads/1/3/1/4/131407057/5232713.pdf
    • http://files.seasonsheart.com/uploads/1/3/1/3/131381900/2630337.pdf
    • https://cdn.shopify.com/s/files/1/0434/9224/5666/files/89572846541.pdf
    • https://cdn.shopify.com/s/files/1/0434/7432/1560/files/lipid_profile_2020.pdf
    • https://cdn.shopify.com/s/files/1/0437/7670/4664/files/tujisaxanigix.pdf
    • https://cdn.shopify.com/s/files/1/0429/0763/1783/files/frm_schweser_notes_2015.pdf
    • https://cdn.shopify.com/s/files/1/0436/5221/9030/files/bartolome_de_las_casas_libros.pdf
    • https://cdn.shopify.com/s/files/1/0428/9835/8432/files/1261535930.pdf
    • https://cdn.shopify.com/s/files/1/0429/3391/1705/files/54892301935.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000516c.bin
b5b2f52b30121ad1ec4ac7da36084d645bcaa8ebcadb7c0132350352fd7e09c4		 pdf-font-stream PDF embedded font (sfnt) at offset 0x516C 5084 bytes
font_01_sfnt_off000062c8.bin
6cbdbbe0aa4c4a213e4f117966b74e7777ef67dfddef4e1723b3570e182468ba		 pdf-font-stream PDF embedded font (sfnt) at offset 0x62C8 10496 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.