Malicious PDF — malware analysis report

Static analysis result for SHA-256 1a565d1f99a18706…

MALICIOUS

PDF

49.7 KB Created: 2020-09-17 13:47:27 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 019452baa24fc6613ce74ddfd36c4c51 SHA-1: f7dedccdc07c1646a3739082ae6cce23a4eb5886 SHA-256: 1a565d1f99a18706a3baeb2abb2c85d2e22e501405bd871859936b8b68662fc8
150 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF file was flagged by multiple critical heuristics for containing a malicious redirector link and a large number of external links, suggesting a link farm. The ML classifier also strongly indicated maliciousness. The embedded URL points to a redirector that, when followed, leads to a page related to 'achilles 2 armor games', likely a lure. The document body contains garbled text but includes the same URL, reinforcing the malicious intent.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.link/wix?keyword=achilles+2+armor+games
    • https://1ccb176c-b9d8-45a9-b6aa-cb6194e9b82a.filesusr.com/ugd/162fe6_5a043f3d88b9451cab4e57aa8dd5be8e.pdf?index=true
    • https://7abab923-5d03-4341-bb65-7e2940ecdab5.filesusr.com/ugd/a8ca0f_f7959d0d34f9416685546cc9359d0ca3.pdf?index=true
    • https://3158b9ef-23d9-4564-b449-84117a2dead0.filesusr.com/ugd/5a4aad_ecb754f8f9a546b9afc73b1e4c57ca4e.pdf?index=true
    • https://80077d12-8665-4b59-9137-357e6bdab217.filesusr.com/ugd/fe83c3_d09ffc90161c4acb88539f0ed79bcaf2.pdf?index=true
    • https://d135ff89-963c-414e-97ef-fcd125f7dae6.filesusr.com/ugd/57c819_9a88e550982c41559ef5430dfc952abe.pdf?index=true
    • https://2aa6d011-3159-42ab-94d8-9bb112b01c00.filesusr.com/ugd/0b46e6_7f5ff97f3b6d42d1be819e861c95b613.pdf?index=true
    • https://54bff04e-eaba-49c7-8af6-8cfb62abcf8b.filesusr.com/ugd/c79b1c_dc80e9ccf6c347e686fe935c16355d50.pdf?index=true
    • https://c0ac0c1e-0581-40a8-8cbb-92bf8baf1ade.filesusr.com/ugd/a51aec_8370948b6e8f471fad3f4f63b4b21e88.pdf?index=true
    • https://8f1a9fc1-3771-41a5-85d3-9156252d694e.filesusr.com/ugd/dd6616_5bd56c53e171415790f05225269b603a.pdf?index=true
    • https://87fc0f02-56cb-4bc2-93e2-4e3276d6e44f.filesusr.com/ugd/3bcfef_bf791d3e683c460ca55c2c5eece8c3be.pdf?index=true
    • https://969424aa-ed81-49e5-ab7e-3e7bfebbcd0b.filesusr.com/ugd/d90490_89cf7d9d46d04a719750032d02c82dd6.pdf?index=true
    • https://863e6be1-5ac2-46ef-bb05-c981f751bf7a.filesusr.com/ugd/90423f_400e968d7d5b45dda6d59f0a9c7bb328.pdf?index=true
    • https://19c3e6e4-3ff5-41a8-8704-26ca1954bdfb.filesusr.com/ugd/136d3d_0e3e6c30d2e54631bb388f825866387f.pdf?index=true
    • https://d1f1654c-bbb3-4ee2-ab37-664d42c9fe33.filesusr.com/ugd/53c654_d91a829188d344fcbab8785e518ea69a.pdf?index=true
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • https://1ccb176c-b9d8-45a9-b6aa-cb6194e9b82a.filesusr.com/ugd/162fe6_5a043f3d88b9451cab4e57aa8dd5be8e.pdf?index=tru

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00007818.bin
5838ca71e9dc0cabb7579904ab3cc5ea7514a4616b92085583c0e0eaffd7f6c1		 pdf-font-stream PDF embedded font (sfnt) at offset 0x7818 4936 bytes
font_01_sfnt_off000088c9.bin
c4871191f5f1aa1685efce00206bba7b737905febbcbb6094f82db1a22e45310		 pdf-font-stream PDF embedded font (sfnt) at offset 0x88C9 10192 bytes
font_02_sfnt_off0000ab9a.bin
05d2457133b820fa77aa358e30e9acfbad3f04c46ced9a37296d9311117db176		 pdf-font-stream PDF embedded font (sfnt) at offset 0xAB9A 4324 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.