Malicious PDF — malware analysis report

Static analysis result for SHA-256 169d17658823161f…

MALICIOUS

PDF

42.2 KB Created: 2020-10-28 22:53:27 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 902f2d98e6b1cf4dd061e8363d1f8b27 SHA-1: fb34a8e3774ead28bf65d6ba4c77b4da06a4892a SHA-256: 169d17658823161f77afdac985687211baeda9e6da2278e1950b91a8d4b6d733
154 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

This PDF document contains a large number of embedded links, many of which point to external resources, indicating a link farm or redirection strategy. The primary malicious URL identified is 'https://gettraff.ru/aws?keyword=battlefront+2+mods+nexus', which is flagged as a known malicious redirector. The document's structure and the presence of numerous links suggest an attempt to drive traffic to potentially harmful websites, possibly for phishing or malware distribution.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 4

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://gettraff.ru/aws?keyword=battlefront+2+mods+nexus
    • https://cdn-cms.f-static.net/uploads/4366947/normal_5f8d3f94d8da9.pdf
    • https://cdn-cms.f-static.net/uploads/4377697/normal_5f8f2f2043cba.pdf
    • https://cdn-cms.f-static.net/uploads/4368246/normal_5f894a05da8c4.pdf
    • https://titawijuneve.weebly.com/uploads/1/3/4/0/134012454/3e33d3281e.pdf
    • https://cdn-cms.f-static.net/uploads/4370286/normal_5f8b0e67566ac.pdf
    • https://rikisuluwujufa.weebly.com/uploads/1/3/1/4/131452938/pemela-gilipegamelanil.pdf
    • https://cdn-cms.f-static.net/uploads/4368477/normal_5f87efc67262a.pdf
    • https://wijukipofijiko.weebly.com/uploads/1/3/4/3/134381856/2308729.pdf
    • https://cdn-cms.f-static.net/uploads/4369502/normal_5f8d25b8b760e.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://s3.amazonaws.com/matogapibelifiv/angulos_complementarios_ejercicios_resueltos.pdf
    • https://uploads.strikinglycdn.com/files/6865d7c9-81a6-4c71-a5bd-83b4b566c410/weduloda.pdf
    • https://uploads.strikinglycdn.com/files/5a478e4b-bc7c-41ef-a71a-eed6cf723cca/28946384960.pdf
    • https://uploads.strikinglycdn.com/files/b8cacf6d-4907-4756-98ed-c977749410e0/gavubewuxikekarose.pdf
    • https://uploads.strikinglycdn.com/files/c3d01889-68fd-4584-b2f4-133c4e661043/56694885669.pdf
    • https://uploads.strikinglycdn.com/files/34fc3ed4-a7be-4492-a877-088eb9fa2199/C3A9valuation_passC3A9_composC3A9_6C3A8me.pdf
    • https://s3.amazonaws.com/xipavir/25652710435.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000640b.bin
136feb4a807354ffb7e80b7a1a93cca17cb0f11f14d8a34c21cd4aaba77f9bf7		 pdf-font-stream PDF embedded font (sfnt) at offset 0x640B 5300 bytes
font_01_sfnt_off00007604.bin
0ba79c2c626c83dbad7bd8cb2a57aa4ba47f93dbd92e7f3a7aa1f4450bb1644f		 pdf-font-stream PDF embedded font (sfnt) at offset 0x7604 11268 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.