Malicious PDF — malware analysis report

Static analysis result for SHA-256 e067003dc9ea1974…

MALICIOUS

PDF

39.9 KB Created: 2020-08-29 11:00:07 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 7dbd38a2ff50bf9ef1ab1f2a77f74036 SHA-1: 75d59ef5c03fc012d542c30f4c8240219141b004 SHA-256: e067003dc9ea19740741bee5055e72295b196d7ee41f7533dc6f6f72a1d3719c
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF contains a malicious redirector link disguised as a game update, likely intended to lead the user to a malicious download. The document body, though heavily obfuscated, contains the malicious URL and references to game updates. The presence of numerous embedded links to external PDFs, many hosted on static.usrfiles.com, indicates a link farm strategy to obscure the ultimate destination.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.cc/wix?keyword=boom+beach+latest+update+mod+apk
    • https://static.usrfiles.com/ugd/b8c837_c47e920139394044935331e50718e849.pdf
    • https://static.usrfiles.com/ugd/b8c837_0615030b34e94baab4a6cb96bc143ad6.pdf
    • https://static.usrfiles.com/ugd/b8c837_1a52afa8c6864c83950bca15c2dd21f8.pdf
    • https://static.usrfiles.com/ugd/b8c837_28a425e369a54c39bbb2a8fcb70a94a6.pdf
    • https://static.usrfiles.com/ugd/b8c837_2fcc576ca8564adf9185efd0e838529a.pdf
    • https://static.usrfiles.com/ugd/b8c837_e392bc79161543b7b6f1b01790f5d232.pdf
    • https://static.usrfiles.com/ugd/b8c837_55766d608c5141be8a9b6785fb8ad384.pdf
    • https://cdn.shopify.com/s/files/1/0440/3331/0870/files/collins_ielts_vocabulary.pdf
    • https://cdn.shopify.com/s/files/1/0427/6197/8023/files/47590164364.pdf
    • https://cdn.shopify.com/s/files/1/0440/1420/7134/files/taxejutukevawuna.pdf
    • https://static.usrfiles.com/ugd/b8c837_ab1d35f27caf49f5a018856694e8090c.pdf
    • https://static.usrfiles.com/ugd/b8c837_88df5c8725814e8daedac952781e8b81.pdf
    • https://static.usrfiles.com/ugd/b8c837_76426c93836a446db7be881da02757fc.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00005e43.bin
39a98a2d0f507c4400204eaafc628f86864707b0e21fd8bf95d181ec9d31d52a		 pdf-font-stream PDF embedded font (sfnt) at offset 0x5E43 5472 bytes
font_01_sfnt_off000070b3.bin
bbeff1c4498c418f76074e8f0466ee46a232c7932e03220bc6fb7b186427c991		 pdf-font-stream PDF embedded font (sfnt) at offset 0x70B3 10156 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.