Malicious PDF — malware analysis report

Static analysis result for SHA-256 1d40d8ab75c10089…

MALICIOUS

PDF

33.7 KB Created: 2020-09-02 01:47:09 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 05b2992ba2e9ee2a35accf1748e1377d SHA-1: c385446fb608cbbd969ff4abe8b647f971104d2d SHA-256: 1d40d8ab75c10089163c3affb3a013722ab2cfde87da4058b900c43936461761
150 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious File

The PDF file was flagged by multiple critical heuristics for containing malicious redirector links and a link farm. The embedded URL points to a known malicious redirector, suggesting an attempt to lure users to a compromised or malicious website. The presence of numerous external PDF links, many hosted on static.usrfiles.com, indicates a link farm strategy, likely for SEO manipulation or to obscure the final malicious destination.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.com/wix?keyword=guidecraft+media+desk+teal
    • https://static.usrfiles.com/ugd/9904c2_33fe18f92e6c4014b27775bfebe2bc48.pdf
    • https://static.usrfiles.com/ugd/b8c837_e5eb673b6412452e94fc6eca72eff72b.pdf
    • https://static.usrfiles.com/ugd/b8c837_277a00daf6144c309dfcb428ffe6af2f.pdf
    • https://static.usrfiles.com/ugd/daca0d_7b66d908d3274ec0817039ec6e8f6750.pdf
    • https://static.usrfiles.com/ugd/003b86_c3debcb1049d444e8cd70ccf7b8aa618.pdf
    • https://static.usrfiles.com/ugd/b8c837_b320d072e39d4329a6c1eada0ae3a01d.pdf
    • https://static.usrfiles.com/ugd/e3325f_08ef991acb974894aa782d72914745a6.pdf
    • https://static.usrfiles.com/ugd/0010c8_8d619817daa4470398f6c7537597d38d.pdf
    • https://static.usrfiles.com/ugd/d43733_76f1632140ee44f4879c04e9fb7d612e.pdf
    • https://static.usrfiles.com/ugd/b8c837_a81dc73f478046abb8e658efe26eccdc.pdf
    • https://static.usrfiles.com/ugd/b8c837_6d1f8fe4a33d46089843b871d05a5bbf.pdf
    • https://static.usrfiles.com/ugd/b8c837_af64b28627cd4bec8224d9ecbae77549.pdf
    • https://cdn.shopify.com/s/files/1/0437/0992/3481/files/74334655554.pdf
    • https://cdn.shopify.com/s/files/1/0444/0332/7142/files/malwarebytes_2._2._0._1024_key.pdf
    • https://cdn.shopify.com/s/files/1/0434/4116/0344/files/game_for_windows_live_client.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000047cc.bin
740b51808e711d65f9e98052d3fe33a8e149957bc3054934a222a2b3dcd81f8f		 pdf-font-stream PDF embedded font (sfnt) at offset 0x47CC 5260 bytes
font_01_sfnt_off000059a2.bin
ef65dcd11534479b58a292d376c3cd55d18295613963f99d59c6023f88644546		 pdf-font-stream PDF embedded font (sfnt) at offset 0x59A2 9624 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.