Malicious PDF — malware analysis report

Static analysis result for SHA-256 df129cc9024f7dbe…

MALICIOUS

PDF

38.0 KB Created: 2020-08-29 23:16:15 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 64cd55eea15b3a010b0eca4c0577176b SHA-1: 22402e6e830301d5b992ce30383e98faa2659ea7 SHA-256: df129cc9024f7dbebd5805da12eb6bd32cacaed97fb1af094c596dbf6acb6d8d
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF file contains a link to a redirector URL, which is a common tactic for distributing malware or phishing content. The document body, though heavily obfuscated, contains text related to 'Pokemon emerald gba file download', suggesting a lure to trick users into clicking the malicious link. The presence of a link farm heuristic further indicates a malicious intent to drive traffic to external sites.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.com/wix?keyword=pokemon+emerald+gba+file+download
    • https://static.usrfiles.com/ugd/d01287_905f02caeb6a4c42960b10be46bcabad.pdf
    • https://static.usrfiles.com/ugd/41a0b6_942f36b31ff84e6bb8d4e0f2560c1eee.pdf
    • https://static.usrfiles.com/ugd/b8c837_ebc206580f4e41639b32a3acb87238f6.pdf
    • https://static.usrfiles.com/ugd/96768c_31eebd3c28d747b381c1589700e65323.pdf
    • https://static.usrfiles.com/ugd/83f04e_32f51fc889f54814aa545aa8fa752472.pdf
    • https://static.usrfiles.com/ugd/30e015_416891c2ea134ab2863a5ec8105fd653.pdf
    • https://static.usrfiles.com/ugd/b8c837_ffdba306e8c349b2bb3b062d0249fb7e.pdf
    • https://static.usrfiles.com/ugd/b8c837_bb275e7da9c0471490bf517e1f9ab0d3.pdf
    • https://static.usrfiles.com/ugd/b8c837_c785f6b2bd0d4143859cd5ffc770dd9f.pdf
    • https://static.usrfiles.com/ugd/93c935_84c1e4b554e5440bbe6da97c226a8b0d.pdf
    • https://static.usrfiles.com/ugd/b8c837_24aea0c63e874923a51c64b47926ef78.pdf
    • https://static.usrfiles.com/ugd/10b11f_aead9700101c4ed496764a4856633d1a.pdf
    • https://static.usrfiles.com/ugd/e73fea_7faae06a09d949f3a142da03a44eeab3.pdf
    • https://static.usrfiles.com/ugd/b8c837_b7566470a67f4d2f9b2a0e6f8c7a8f65.pdf
    • https://static.usrfiles.com/ugd/b88e3d_3fd8ced6d10c4010b5aa2fd11b021743.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000049be.bin
dbd78a93165ffceddae77f8c829c577dc249904fa6b9073c5ae77a6face44d2e		 pdf-font-stream PDF embedded font (sfnt) at offset 0x49BE 5052 bytes
font_01_sfnt_off00005ada.bin
a6daf70a582a44760e2f15c2453b1a25cc47b890378fde63816b201a3aff8aaf		 pdf-font-stream PDF embedded font (sfnt) at offset 0x5ADA 10028 bytes
font_02_sfnt_off00007d01.bin
a542ec26cea93e049a2e27cd59b1347dd9bbdea13775fd7b822b3c2b3136116f		 pdf-font-stream PDF embedded font (sfnt) at offset 0x7D01 4324 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.