Malicious PDF — malware analysis report

Static analysis result for SHA-256 468e5c1138e63db0…

MALICIOUS

PDF

44.3 KB Created: 2020-08-30 03:05:07 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: b731b51bd49462ddeaa10035b2a8ce98 SHA-1: 667c42d58619a16afb924e6b1de76f3a51d87698 SHA-256: 468e5c1138e63db04e7689b4b413ce867070248f7a301223994632a2a1c3b577
150 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF contains a malicious redirector link disguised as a resource for game cheat codes. The primary heuristic indicates this link points to known malicious infrastructure. The document body, though heavily obfuscated, contains the same malicious URL, reinforcing the lure. The PDF also contains a large number of links to other PDFs, likely for SEO manipulation to increase visibility of the malicious link.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.ru/wix?keyword=cheat+codes+for+just+cause+2+ps3
    • https://cdn.shopify.com/s/files/1/0438/3342/6082/files/pdf_text_watermark_remover_online.pdf
    • https://cdn.shopify.com/s/files/1/0447/7698/0629/files/besame_mucho_piano_sheet_free.pdf
    • https://cdn.shopify.com/s/files/1/0431/4329/9228/files/bacon_egg_and_cheese_biscuit.pdf
    • https://cdn.shopify.com/s/files/1/0433/3876/0342/files/59981259790.pdf
    • https://cdn.shopify.com/s/files/1/0437/4020/1109/files/biwoj.pdf
    • https://cdn.shopify.com/s/files/1/0429/5802/8959/files/82356481493.pdf
    • https://cdn.shopify.com/s/files/1/0432/5035/2296/files/78722698469.pdf
    • https://cdn.shopify.com/s/files/1/0429/0985/9999/files/jezuwovukabopajopiwepu.pdf
    • https://cdn.shopify.com/s/files/1/0433/4324/9576/files/bourbaki_general_topology_part_2.pdf
    • https://cdn.shopify.com/s/files/1/0438/2140/0226/files/essay_plan_template_google_docs.pdf
    • https://cdn.shopify.com/s/files/1/0434/7972/8281/files/canon_mg2900_ink.pdf
    • https://static.usrfiles.com/ugd/b8c837_e6d1a1a281cd4e11a0b0ea853dca1c83.pdf
    • https://static.usrfiles.com/ugd/3bca44_c26fd2dc0f62411ebf58d0af4a9d2971.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00006d70.bin
e46edaf429f5bb2acd8eb43fa4e1f7e36da1149fb8d02398a3e32f1322fd338b		 pdf-font-stream PDF embedded font (sfnt) at offset 0x6D70 5488 bytes
font_01_sfnt_off00008019.bin
25d21c5b4c5d07bc41faee9343971674f9dd87e9c58bff50f02739be8cd38eba		 pdf-font-stream PDF embedded font (sfnt) at offset 0x8019 10680 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.