Malicious PDF — malware analysis report

Static analysis result for SHA-256 d092812876314149…

MALICIOUS

PDF

39.1 KB Created: 2020-08-17 00:02:37 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 5ad32c30d7f312995ac4c5b12fa3828e SHA-1: 7095f3c5b01151182d4f287b926189551dc72af4 SHA-256: d092812876314149383963ec18a9350f91f0a6fa6335479c1c15abc6e96c61a3
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell T1204.002 Malicious Link

The PDF file contains a link that redirects to a malicious URL, identified by the PDF_MALICIOUS_REDIRECTOR_LINK heuristic. The document body explicitly mentions 'Windroy android emulator for windows 7' and includes the malicious redirector URL, suggesting a social engineering lure. The PDF_SEO_LINK_FARM heuristic indicates a large number of outbound links, many hosted on Shopify, likely to improve search engine ranking for malicious content. No scripts were extracted, but the primary attack vector appears to be a user-driven click on the malicious link.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.cc/pify?keyword=windroy+android+emulator++for+windows+7
    • http://kebew.providencehurlingclub.com/uploads/1/3/1/3/131378950/a3022b58.pdf
    • https://cdn.shopify.com/s/files/1/0431/5935/5556/files/popopikepugemunu.pdf
    • https://cdn.shopify.com/s/files/1/0430/0367/4785/files/xitalurinoxamigilex.pdf
    • https://cdn.shopify.com/s/files/1/0449/3754/3848/files/xufotu.pdf
    • https://cdn.shopify.com/s/files/1/0434/7317/4680/files/89662161285.pdf
    • https://cdn.shopify.com/s/files/1/0434/2448/1431/files/mubonus.pdf
    • https://cdn.shopify.com/s/files/1/0450/4292/5726/files/adobe_editor_purchase.pdf
    • https://cdn.shopify.com/s/files/1/0429/5399/8487/files/introduction_to_turbo_c_programming.pdf
    • https://cdn.shopify.com/s/files/1/0427/7963/9967/files/88697688434.pdf
    • https://cdn.shopify.com/s/files/1/0431/2491/6388/files/30317111076.pdf
    • https://cdn.shopify.com/s/files/1/0439/3120/5787/files/astm_a106_a106m.pdf
    • https://cdn.shopify.com/s/files/1/0430/5115/5618/files/watexorodexivex.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00005727.bin
53ef4e823251ab27705b45634bfa14005216add842aa00df436f85b17626b480		 pdf-font-stream PDF embedded font (sfnt) at offset 0x5727 5340 bytes
font_01_sfnt_off00006958.bin
a2616bc640e2279fe30e8ae36d97d88b4384ef5d29f58a021f41d52ab6927bec		 pdf-font-stream PDF embedded font (sfnt) at offset 0x6958 12852 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.