Malicious PDF — malware analysis report

Static analysis result for SHA-256 1dd30a77cd628792…

MALICIOUS

PDF

47.3 KB Created: 2020-08-29 21:14:31 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: beab73885e7932de17b592e5682d3465 SHA-1: ed9addf2780cef9acdc5c0d5c810932102ec7f3a SHA-256: 1dd30a77cd6287921218db2b5cf688c413d785ad1d33e1e8cc65b4b27bde842d
150 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF contains a link farm designed to appear as legitimate content related to game cheats, but the primary link redirects to a known malicious domain. The PDF_MALICIOUS_REDIRECTOR_LINK heuristic confirms this redirection. The ML classifier also flagged this PDF with high confidence. The document body, though heavily obfuscated, contains the malicious URL and references to game cheats, supporting the lure.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.com/wix?keyword=transformers+the+game+cheat
    • https://cdn.shopify.com/s/files/1/0435/9965/9176/files/31026143374.pdf
    • https://cdn.shopify.com/s/files/1/0433/5697/9351/files/99823577994.pdf
    • https://cdn.shopify.com/s/files/1/0431/2816/0420/files/ketawoveredevagime.pdf
    • https://cdn.shopify.com/s/files/1/0434/1320/9246/files/11218040595.pdf
    • https://cdn.shopify.com/s/files/1/0430/7641/9744/files/kojimonujunuxajip.pdf
    • https://cdn.shopify.com/s/files/1/0429/9590/8761/files/90927476417.pdf
    • https://cdn.shopify.com/s/files/1/0429/1874/0134/files/morebidivatinape.pdf
    • https://cdn.shopify.com/s/files/1/0434/4381/4556/files/58045746096.pdf
    • https://cdn.shopify.com/s/files/1/0433/0687/7080/files/7913659608.pdf
    • https://cdn.shopify.com/s/files/1/0430/0419/9075/files/sugar_magnolias_grateful_dead.pdf
    • https://cdn.shopify.com/s/files/1/0462/2532/6231/files/t_shirt_size_guide.pdf
    • https://cdn.shopify.com/s/files/1/0446/8791/7209/files/stefan_zweig_beware_of_pity.pdf
    • https://static.usrfiles.com/ugd/b8c837_0b7ebcd445e74058885c7f8dd977fa4d.pdf
    • https://static.usrfiles.com/ugd/b8c837_3e92215b4e45415382f634a0c6f2f504.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00007cae.bin
4cd13bdc1e7b1e5a4ec1ef44cf5b9b6ba8234044b60ee6577e36c2f3e056c213		 pdf-font-stream PDF embedded font (sfnt) at offset 0x7CAE 5212 bytes
font_01_sfnt_off00008e3b.bin
1cd9dbca7410f5c5fe7c194aa3ce9a868d9c802ef8c7d734c05d7f20112d36f4		 pdf-font-stream PDF embedded font (sfnt) at offset 0x8E3B 10076 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.