Malicious PDF — malware analysis report

Static analysis result for SHA-256 28e7c88de1c82372…

MALICIOUS

PDF

40.7 KB Created: 2020-08-31 02:31:18 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 36fc84e0d696278e30d068f829964600 SHA-1: fbd678db9ea44b28e00905cfc4c962fcc96ec4fe SHA-256: 28e7c88de1c82372ac89302aff69fa08d5796fac713dc68a6b9043094ffeb400
152 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF contains multiple embedded links, with one specifically pointing to a known malicious redirector. The document body, though heavily obfuscated, contains text related to 'doodle devil hd apk' and a URL that aligns with the malicious redirector heuristic. The presence of numerous links to external PDFs, many hosted on static.usrfiles.com, suggests a link farm designed to obscure the ultimate destination or to appear as legitimate content. The ML classifier also strongly indicated maliciousness.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 4

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.com/wix?keyword=doodle+devil+hd+apk
    • https://static.usrfiles.com/ugd/73f3b0_ee0c14e5a26b40c1a1d1dd86010d8e2a.pdf
    • https://static.usrfiles.com/ugd/913720_f58597295c794c6ebec8acd5fc0429e4.pdf
    • https://static.usrfiles.com/ugd/e23fbb_c31932f53eaa4efab158e74acb37cbd5.pdf
    • https://static.usrfiles.com/ugd/b8c837_48d132b8992940a8b6dfd096f1126b78.pdf
    • https://static.usrfiles.com/ugd/fe83c3_a1728ba4650d422588585550e657ac1f.pdf
    • https://static.usrfiles.com/ugd/173616_a4cd952fbdd54d7bb9f6b8e95a738fe8.pdf
    • https://static.usrfiles.com/ugd/4f270c_06267c075a0c46f99f3e14e443dd5473.pdf
    • https://static.usrfiles.com/ugd/cc089a_cfe2b952052f4676a009232975a87f94.pdf
    • https://static.usrfiles.com/ugd/47b1e8_c51e77ddd6f9492a8fca5f5b19c8d990.pdf
    • https://static.usrfiles.com/ugd/921909_0c944cd146544af0a102a77de045b0df.pdf
    • https://cdn.shopify.com/s/files/1/0433/6015/7855/files/31789112148.pdf
    • https://cdn.shopify.com/s/files/1/0432/1263/6322/files/30936069026.pdf
    • https://cdn.shopify.com/s/files/1/0431/3802/3581/files/insanity_max_30_nutrition_guide.pdf
    • https://static.usrfiles.com/ugd/0779a3_244667942db045b9913e9da09fbfaecd.pdf
    • https://static.usrfiles.com/ugd/221f3a_d57766447b0649aabb4103b269014da9.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000573b.bin
31e1fc4565d4311c34e960f6b0757839d71534a3f3828bac53db23f784bd8718		 pdf-font-stream PDF embedded font (sfnt) at offset 0x573B 4896 bytes
font_01_sfnt_off000067e4.bin
289854c0292170102eeea8cd8d9fa039b7e5adf06f71653ea533c14c4e2d2c34		 pdf-font-stream PDF embedded font (sfnt) at offset 0x67E4 2140 bytes
font_02_sfnt_off000071bf.bin
f9928c199c470d6dda75ca1d19f595f5e354365ddd6c7b0d3242a50f4179a94c		 pdf-font-stream PDF embedded font (sfnt) at offset 0x71BF 10700 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.