Malicious PDF — malware analysis report

Static analysis result for SHA-256 f24c321b202c2d57…

MALICIOUS

PDF

39.1 KB Created: 2020-08-30 06:56:39 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 91ba6d65bcb1dd2090d3cf0761b56206 SHA-1: 733ec594d7fbd29b8974bb20bc380902043d6b27 SHA-256: f24c321b202c2d57a6aa18177030f15d88d62b6a9327a19303828d8b4d30aff0
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF file contains a critical heuristic firing for a malicious redirector link, pointing to a URL that appears to be a lure for downloading software. The document body also contains this URL and references to 'starcraft brood war winulator download', suggesting a social engineering pretext. The presence of a large number of external PDF links, many pointing to static.usrfiles.com, indicates a link farm designed to attract traffic, likely for malicious purposes.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.cc/wix?keyword=starcraft+brood+war+winulator+downlo
    • https://static.usrfiles.com/ugd/b8c837_04df39916c0448b7893174574e4d757d.pdf
    • https://static.usrfiles.com/ugd/80c1db_5dd0eebb2b3a44909661e9cc65d4331b.pdf
    • https://static.usrfiles.com/ugd/bb13a2_81057462f608470db40cf2a78aa1a436.pdf
    • https://static.usrfiles.com/ugd/01e791_7142f3abe8bf44509466ee057f2dff56.pdf
    • https://static.usrfiles.com/ugd/b4609a_c0a864f145e64c7485deb6c18c247390.pdf
    • https://cdn.shopify.com/s/files/1/0437/7578/7157/files/9113730790.pdf
    • https://cdn.shopify.com/s/files/1/0431/8543/8883/files/sgx_annual_report_checklist.pdf
    • https://cdn.shopify.com/s/files/1/0433/2866/7816/files/familias_assentadas_reforma_agraria.pdf
    • https://cdn.shopify.com/s/files/1/0433/7133/1734/files/71069229271.pdf
    • https://static.usrfiles.com/ugd/b8c837_dc9f49499aad4e9d969b7b51fc7e39d7.pdf
    • https://static.usrfiles.com/ugd/83b1b3_30c19c2d1df34f2e8bd193f586355c13.pdf
    • https://static.usrfiles.com/ugd/6cf392_cf63bbbfc943452fa5900b2664c6c9ee.pdf
    • https://static.usrfiles.com/ugd/10e3af_7dca9fd6e7fc48dda699c5c95c2d9cf4.pdf
    • https://cdn.shopify.com/s/files/1/0428/9835/8432/files/pegumi.pdf
    • https://cdn.shopify.com/s/files/1/0434/3706/4354/files/king_james_1611_with_apocrypha.pdf
    • https://cdn.shopify.com/s/files/1/0432/0631/2091/files/5632010162.pdf
    • https://cdn.shopify.com/s/files/1/0431/1613/4551/files/pumikej.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00005ab8.bin
021c5ee49d9b0eae2cc9e2a2cc59d9f38c15e37c78c9f1692b56dcb0d27fc76a		 pdf-font-stream PDF embedded font (sfnt) at offset 0x5AB8 5172 bytes
font_01_sfnt_off00006c62.bin
844421a2a7b46b7b28c1cdc02a1814661af26acd5c793cd8a3f39c455d37df40		 pdf-font-stream PDF embedded font (sfnt) at offset 0x6C62 10228 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.