Malicious PDF — malware analysis report

Static analysis result for SHA-256 cf8c7286a25e2cf6…

MALICIOUS

PDF

47.0 KB Created: 2020-09-01 05:12:34 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 3cb5ef4305ddb8a53522f5526194be39 SHA-1: 9598b48984a95af3fe057dd0bb15b626bef4c7bb SHA-256: cf8c7286a25e2cf6af45f60d8db2dd6e861f29875060c6a81fc8610fcace6ce5
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF contains a prominent link that, when clicked, redirects to a malicious URL. The document body text and embedded URL suggest a lure for downloading an Android game, likely a social engineering tactic to redirect users to potentially harmful content or malware. The PDF also contains a large number of embedded links, many pointing to Shopify, which is characteristic of SEO spam or link farm techniques used to distribute malicious content.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.club/wix?keyword=brawl+stars+apk+cenneti+indir
    • https://cdn.shopify.com/s/files/1/0432/8741/2900/files/45524990210.pdf
    • https://cdn.shopify.com/s/files/1/0433/7316/6744/files/72349065594.pdf
    • https://cdn.shopify.com/s/files/1/0433/9128/7461/files/69665676093.pdf
    • https://cdn.shopify.com/s/files/1/0428/8688/9625/files/kufewatifijogikubame.pdf
    • https://static.usrfiles.com/ugd/2ca22b_bdaadeb30db242369bbd3e4555897c75.pdf
    • https://static.usrfiles.com/ugd/b5472a_d2eb6cd64be14857aafb77f3810458aa.pdf
    • https://static.usrfiles.com/ugd/8cbfce_31cea6636f9943689a80fb7c9599d21f.pdf
    • https://static.usrfiles.com/ugd/71fd01_2dee3d0521f44caea09a3c7290a3b618.pdf
    • https://static.usrfiles.com/ugd/912de2_7f8d0801ea3b429f92445d486778a169.pdf
    • https://static.usrfiles.com/ugd/b8c837_a811c98b19fb400c9221fc933725b746.pdf
    • https://static.usrfiles.com/ugd/b8c837_ce4376c3d3a342f391a01856abd891d4.pdf
    • https://static.usrfiles.com/ugd/fac845_471af774bbdb4325ab9c9079a8849f47.pdf
    • https://static.usrfiles.com/ugd/b8c837_ed5ff982e8504dd98857a5e5da02b28d.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 4

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000583d.bin
a3976b0f506ae12a97404df99d7d26f2f29bddb45c3ed1e879034157b4eef082		 pdf-font-stream PDF embedded font (sfnt) at offset 0x583D 4952 bytes
font_01_sfnt_off0000692a.bin
e06c706790738ada44b71d30bcbdbe8fe77c133cdb226f4c98c9a758b1ba3dac		 pdf-font-stream PDF embedded font (sfnt) at offset 0x692A 10068 bytes
font_02_sfnt_off00008be5.bin
4c0a3f0893f5e69c6acf0c6b7f036872587aec6188c41bdd40a009ab43c82216		 pdf-font-stream PDF embedded font (sfnt) at offset 0x8BE5 16060 bytes
font_03_sfnt_off0000a076.bin
1062cd8ddf90f4344fa193b395386d5669df1a952e5759311ca261a71931f361		 pdf-font-stream PDF embedded font (sfnt) at offset 0xA076 4324 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.