Malicious PDF — malware analysis report

Static analysis result for SHA-256 f624e389ae9ba42a…

MALICIOUS

PDF

35.4 KB Created: 2020-08-14 22:06:19 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 84abb0b117eb16c815db92c037dca6a2 SHA-1: a59d6ef328dd4e9607d868b70fee90931fa877f0 SHA-256: f624e389ae9ba42aa0334c52113b6da0f12b3c619908e278eef5c827a09c130e
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF file contains a heuristic firing for a malicious redirector link, which is also present in the document body. This link, 'https://ttraff.cc/pify?keyword=chhello+divas+full+hd+movie++720p', is designed to lure users with a fake movie download. The file also exhibits characteristics of a link farm, with numerous embedded links, many pointing to Shopify domains. The primary malicious IOC is the redirector URL.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.cc/pify?keyword=chhello+divas+full+hd+movie++720p
    • http://lisajemib.cfnatomas.com/uploads/1/3/0/7/130775493/186988.pdf
    • http://files.helpsaveourkids.org/uploads/1/3/2/6/132681482/kadelo_wifozoz.pdf
    • http://files.doorbeopen.com/uploads/1/3/0/8/130814718/jepalujopefasuli.pdf
    • https://cdn.shopify.com/s/files/1/0434/5180/9957/files/assembly_language_programming_arm_cortex_m3_vincent_mahout.pdf
    • https://cdn.shopify.com/s/files/1/0430/2677/6227/files/59111331509.pdf
    • https://cdn.shopify.com/s/files/1/0430/8100/7255/files/14346654388.pdf
    • https://cdn.shopify.com/s/files/1/0432/6401/6539/files/sikixemakokorexanofa.pdf
    • https://cdn.shopify.com/s/files/1/0429/6415/6575/files/dezusikanajelajawefi.pdf
    • https://cdn.shopify.com/s/files/1/0429/6055/2085/files/46376790135.pdf
    • https://cdn.shopify.com/s/files/1/0430/4273/4237/files/warcraft_3_frozen_throne.pdf
    • https://cdn.shopify.com/s/files/1/0433/0687/7080/files/46905239833.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00004c45.bin
ffbc70274c265b26280c780d7b700f430a350c320681256c902ad3e68ec781d7		 pdf-font-stream PDF embedded font (sfnt) at offset 0x4C45 5504 bytes
font_01_sfnt_off00005eef.bin
1d79f92c33ad06663ba5749ec153014dc1e60f6560e3da499c5cf6696151fb50		 pdf-font-stream PDF embedded font (sfnt) at offset 0x5EEF 9952 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.