Malicious PDF — malware analysis report

Static analysis result for SHA-256 f9bce67a3f09ba0a…

MALICIOUS

PDF

59.2 KB Created: 2020-09-03 09:35:16 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 72051e6e321ebdfdb29a22ef0db2c0e8 SHA-1: 6ebd6d12dc32fb12b547b94c1263186a2d0a3385 SHA-256: f9bce67a3f09ba0a317071e4e8f76fb401699d19343f7b3b2a5af139c00d21f6
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF file contains a link that redirects to a malicious URL, disguised as a game download. The heuristic PDF_MALICIOUS_REDIRECTOR_LINK confirms this behavior. The document body, though heavily obfuscated, contains the target URL, suggesting a social engineering lure to drive traffic to a malicious site. No scripts were extracted, limiting further analysis of the payload.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.club/pify?keyword=commandos+game++for+windows+10
    • https://cdn.shopify.com/s/files/1/0429/7441/2949/files/1898351737.pdf
    • https://cdn.shopify.com/s/files/1/0436/5382/4677/files/8933388121.pdf
    • https://cdn.shopify.com/s/files/1/0434/6249/2310/files/niguwebujalupamifaj.pdf
    • https://cdn.shopify.com/s/files/1/0430/9663/7597/files/peyote_stitch_patterns_free.pdf
    • https://cdn.shopify.com/s/files/1/0436/5543/0309/files/pewozetolosufudidinagul.pdf
    • https://static.usrfiles.com/ugd/902d29_c0fbc5eb1cda4a6498090b426556e931.pdf
    • https://static.usrfiles.com/ugd/95ea6b_c6ba6c07415a4f44896e7369f2df52ab.pdf
    • https://static.usrfiles.com/ugd/a86d68_09c7c81c78b044da8c257b0b117eec7b.pdf
    • https://static.usrfiles.com/ugd/8ab72e_591fc7489202455aac26635e2773aecc.pdf
    • https://static.usrfiles.com/ugd/63f22d_368e01c1128046218dca1c8bb7e97049.pdf
    • https://static.usrfiles.com/ugd/b8c837_3d9adcf7f3cb4488831910998b3b39ba.pdf
    • https://static.usrfiles.com/ugd/3f8d85_dc2fd99c3f59453abc3338c927b140c0.pdf
    • https://static.usrfiles.com/ugd/f523c3_18379bb6e135460a9da9871d8180a3b0.pdf
    • https://static.usrfiles.com/ugd/e2f7e1_ceab4b7e99e74c61836a8603131821e1.pdf
    • https://static.usrfiles.com/ugd/d1c05f_7880d3078ab342c287de1b9330040d93.pdf
    • https://static.usrfiles.com/ugd/73c254_cfbc7e78d4cc4a5d9af1b78db3f623da.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000aa79.bin
aacfde5851666ed52d95d64ff339e4a596f301c61a48f52f07c0d930dd421a87		 pdf-font-stream PDF embedded font (sfnt) at offset 0xAA79 5384 bytes
font_01_sfnt_off0000bcc4.bin
421e426e894a82612a14f76f9d046fcf9153f8432bc5273771ff4c7e281bffe7		 pdf-font-stream PDF embedded font (sfnt) at offset 0xBCC4 10204 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.