Malicious PDF — malware analysis report

Static analysis result for SHA-256 27729258e3c56645…

MALICIOUS

PDF

49.5 KB Created: 2020-09-17 12:00:53 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 00663735a837df8a6049df970140c026 SHA-1: 000d190f332b081990430239439120d4908ded67 SHA-256: 27729258e3c56645a63ac33854ec13f00d7ceaae85cedb877ea88f2083ae0fc5
150 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF contains a critical heuristic firing for a malicious redirector link, pointing to a URL that includes a search query for 'game guardian apk latest version apkpure'. This suggests a lure to download potentially unwanted or malicious applications. Additionally, the PDF exhibits characteristics of a link farm, with numerous embedded links to other PDF files, many of which are hosted on suspicious domains. The ML classifier also strongly flagged this PDF as malicious.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.link/wix?keyword=game+guardian+apk+latest+version+apkpure
    • http://files.dgcustomart.com/uploads/1/3/1/0/131069893/b5f98b926ba.pdf
    • http://files.wetproposalapparel.com/uploads/1/3/2/6/132683328/mulapugiporexusor.pdf
    • http://joxosalep.soundmemoriesradio.com/uploads/1/3/1/4/131407552/a8155856cf46.pdf
    • http://files.nectr.ca/uploads/1/3/1/4/131454012/1884923.pdf
    • https://cdn.shopify.com/s/files/1/0432/0670/5312/files/35206812888.pdf
    • https://cdn.shopify.com/s/files/1/0433/6176/3480/files/17228681498.pdf
    • https://cdn.shopify.com/s/files/1/0429/1395/6007/files/what_is_conditional_formatting_in_spreadsheet.pdf
    • https://cdn.shopify.com/s/files/1/0437/3646/5559/files/bartleby_the_scrivener_download.pdf
    • https://cdn.shopify.com/s/files/1/0435/3445/0840/files/examples_of_acronym_word_formation.pdf
    • https://a6c519f2-937e-421c-9275-f17e94b53924.filesusr.com/ugd/5926b4_ea15dbc4b0dd456a8de78727eff1ec04.pdf?index=true
    • https://39427c11-bd3d-4eed-ae9c-92fec0b6fa91.filesusr.com/ugd/43d2fc_0fd8264decfa49fb98294db2c23822eb.pdf?index=true
    • https://d0761018-a0d8-40e5-b036-15eadda82baf.filesusr.com/ugd/3eed2b_4479e39e5cd44e41a571db85596d2e9b.pdf?index=true
    • https://01a2633e-7e5c-4a2b-9727-d52a4162fbfc.filesusr.com/ugd/29c71c_bcc2728178d247699237a8c962a7083c.pdf?index=true
    • https://b05434f0-893b-4829-956d-3532b0f96860.filesusr.com/ugd/4dded2_b2b7442f99ee49d388315e72f8824196.pdf?index=true
    • https://0f1a5026-2406-4248-b6ad-cc8858ce5615.filesusr.com/ugd/436160_1f06192373fa406da28739c26f16b57e.pdf?index=true
    • https://a60764fa-0c33-433e-8327-0b27261e57dc.filesusr.com/ugd/d8966e_8cf8a50ee63646bb98310a35cdc4b28d.pdf?index=true
    • https://671b3778-2ec1-40ac-acf0-2c17e2b4a808.filesusr.com/ugd/dc6899_e85072e880eb4c92ab64cc345b0d92d1.pdf?index=true
    • https://1314a276-ec69-4925-8d8f-d4540b759b20.filesusr.com/ugd/7e84b7_35a078853b704aa2ac3af55b5b740eab.pdf?index=true
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • https://1314a276-ec69-4925-8d8f-d4540b759b20.filesusr.com/ugd/7e84b7

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00006673.bin
ac4345a16236c2f672c0c679ef94a750cb567bb4a6b320846ae688c1ec585087		 pdf-font-stream PDF embedded font (sfnt) at offset 0x6673 8060 bytes
font_01_sfnt_off0000818f.bin
df84f4ef0a6e1d7b6d62a10a15589f366df0eae785f0d56b026a0273094f3aca		 pdf-font-stream PDF embedded font (sfnt) at offset 0x818F 5436 bytes
font_02_sfnt_off00009401.bin
a78c4b2e3a1a521e022ac39359a757ca7894beee391be2c369606b825e8fe61b		 pdf-font-stream PDF embedded font (sfnt) at offset 0x9401 10768 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.