Malicious PDF — malware analysis report

Static analysis result for SHA-256 fcb6bda46588daf7…

MALICIOUS

PDF

46.4 KB Created: 2020-09-02 01:36:34 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 3c9691ad2d1dbeb31a4e05129ddac548 SHA-1: 9a7511bb49de40438e08017131481afcf413c4e5 SHA-256: fcb6bda46588daf7ccdd4d822fda5888bc7aa9a40a5e62def6be1e9b622c2286
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF file contains numerous embedded links, with one specifically identified as a malicious redirector pointing to 'ttraff.com'. The document body, though heavily obfuscated, contains text related to 'adventure time game wizard apk data' and the malicious URL, suggesting a lure for users to download potentially harmful content. The presence of a link farm heuristic further indicates a malicious intent to distribute links.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.com/wix?keyword=adventure+time+game+wizard+apk%252B+data
    • https://static.usrfiles.com/ugd/3aee12_6ac0fbe072604298a10928f6c311d022.pdf
    • https://static.usrfiles.com/ugd/4b68be_0553a854ee694cc5a5776f8d0f06b5fa.pdf
    • https://static.usrfiles.com/ugd/b8c837_7fc11c3a676642a194389e4fea123cbc.pdf
    • https://static.usrfiles.com/ugd/7c3584_68e8c74674af41b4a0a98c9b4c13c590.pdf
    • https://static.usrfiles.com/ugd/b8c837_465b0c3ebe4b43219b3f6ec87d22ccf5.pdf
    • https://static.usrfiles.com/ugd/b8c837_cc105667636b409cac439df943fa0c99.pdf
    • https://static.usrfiles.com/ugd/ca300b_62d7b69ebc454a2b9dafce67a7fec14d.pdf
    • https://static.usrfiles.com/ugd/1a89c8_083071b347cf49d0892b9f2c0a068e42.pdf
    • https://static.usrfiles.com/ugd/87a178_092b64e57f80487eb48c8362340e486a.pdf
    • https://cdn.shopify.com/s/files/1/0433/0687/7080/files/66691602327.pdf
    • https://cdn.shopify.com/s/files/1/0433/9027/1638/files/mekekuzofadukasemuli.pdf
    • https://cdn.shopify.com/s/files/1/0433/7047/9768/files/15283430936.pdf
    • https://cdn.shopify.com/s/files/1/0438/8572/3816/files/andis_official_blade_guide.pdf
    • https://static.usrfiles.com/ugd/1b8612_28f68fa6a72c4568bf57de72de81715c.pdf
    • https://static.usrfiles.com/ugd/b8c837_3bc711463b5543f9bfda39dff8fea57d.pdf
    • https://static.usrfiles.com/ugd/0a052f_0991887cbee84f9ba9a17f0e617ffa03.pdf
    • https://static.usrfiles.com/ugd/19ce5d_bea30888f2064f4394ea95bc1940e1ee.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000070dc.bin
32c7e5b179afd7ad2206e3aa72c951b38f3738ab80a53e59940a5540353bcd4f		 pdf-font-stream PDF embedded font (sfnt) at offset 0x70DC 5324 bytes
font_01_sfnt_off00008300.bin
fa1d94a62650f105cff842e6e208cb3ca51d72d4ead35492d932dda7285bab46		 pdf-font-stream PDF embedded font (sfnt) at offset 0x8300 14052 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.