Malicious PDF — malware analysis report

Static analysis result for SHA-256 e5d7b45853038dbb…

MALICIOUS

PDF

46.1 KB Created: 2020-08-30 14:28:33 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 73e48a5b655ed605fbea2cdcf6398884 SHA-1: 422334734d79fa38e5a43698682295d0f01f1c6e SHA-256: e5d7b45853038dbba6dd50c1051598df53572c5c19460ccafba81fb89087133d
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF file contains numerous embedded links, with one identified as a malicious redirector. The document body, though heavily obfuscated, includes a URL that appears to be a lure for a movie title. This suggests the document is designed to trick users into visiting malicious sites, likely for phishing or to download further malware. The presence of a malicious redirector link is the primary indicator of malicious intent.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.ru/wix?keyword=mardaani+full+movie+rani+mukherjee
    • https://static.usrfiles.com/ugd/73c254_73ec5d8b13f14656bb13302401f98c59.pdf
    • https://static.usrfiles.com/ugd/b8c837_90f3194e6bc64949924889cee6bf18be.pdf
    • https://static.usrfiles.com/ugd/493135_9346bf0daed44baf81615942892a7a01.pdf
    • https://static.usrfiles.com/ugd/7e0eb0_216b7f1eb26c4b56b7d10dc6891b89be.pdf
    • https://static.usrfiles.com/ugd/40512e_d70e7ef25544434bacd5b13842cebe7c.pdf
    • https://static.usrfiles.com/ugd/4b68be_2bda137a8fc84fc88b74ab6afc06a83e.pdf
    • https://static.usrfiles.com/ugd/ce5d00_b91a2603c9a145f6b4c8bc376515c064.pdf
    • https://static.usrfiles.com/ugd/1f2646_20c326442a3044df9e6f25fe2dd15b44.pdf
    • https://cdn.shopify.com/s/files/1/0434/1818/9980/files/fusevefomaf.pdf
    • https://cdn.shopify.com/s/files/1/0439/9644/6878/files/are_you_addicted_novel_book_2.pdf
    • https://cdn.shopify.com/s/files/1/0434/7287/9773/files/bitodazixurojijibafilu.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00006171.bin
140e4dabb18629fc163935106f9a0c0e2a09442e81f4e7de25427d026ed90bab		 pdf-font-stream PDF embedded font (sfnt) at offset 0x6171 5176 bytes
font_01_sfnt_off000072ec.bin
b0f062a4acddff3b9ccead8e65f317556845821837b25b725276ce914cce0725		 pdf-font-stream PDF embedded font (sfnt) at offset 0x72EC 10344 bytes
font_02_sfnt_off00009690.bin
6e3fbd491d8b71441998836ddca0d0c102716a221ea14f8143929167ad9a79b3		 pdf-font-stream PDF embedded font (sfnt) at offset 0x9690 16164 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.