Malicious PDF — malware analysis report

Static analysis result for SHA-256 509dc40152b9edaa…

MALICIOUS

PDF

45.4 KB Created: 2020-09-07 23:56:30 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: b07431e9f8752e097727d4b577ac747b SHA-1: db73b0b4e84d5bce6840e0570aef805dca7cf455 SHA-256: 509dc40152b9edaa3749cb837db26c119b9a60c56059080e6604ba8bb26fa31f
150 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF was flagged by multiple critical heuristics for containing malicious redirector links and a large link farm. The primary malicious URL identified is 'https://ttraff.club/pify?keyword=black+desert+ps4+warrior+guide', which is likely used to redirect users to a malicious site. The document body, though heavily obfuscated, contains references to this URL and other PDF links, supporting the finding of a link farm.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.club/pify?keyword=black+desert+ps4+warrior+guide
    • https://static.usrfiles.com/ugd/f99735_0bc287d131374dc88ea0e718c7e198f3.pdf
    • https://static.usrfiles.com/ugd/83e24f_f748cce5b20b4da7bbca5c6d83dafde2.pdf
    • https://static.usrfiles.com/ugd/4c76bf_c1a2e01aa0ec44668d5445d75bcf67ca.pdf
    • https://cdn.shopify.com/s/files/1/0440/1093/0341/files/15873887713.pdf
    • https://cdn.shopify.com/s/files/1/0434/3080/5669/files/65408878800.pdf
    • https://cdn.shopify.com/s/files/1/0444/3389/9686/files/dictionary_english_to_marathi_free_download.pdf
    • https://static.usrfiles.com/ugd/f6a907_800605c8d55e4a7c8981e2c35d9b74f6.pdf
    • https://static.usrfiles.com/ugd/ce14f3_cf7c9c7e7251454bace64c39c72bb8a5.pdf
    • https://static.usrfiles.com/ugd/7e6083_e04a4602acc14a4c80097dea8f7f5890.pdf
    • https://static.usrfiles.com/ugd/5b9365_ac7b0b606470476eb6fb7607ffcc628e.pdf
    • https://static.usrfiles.com/ugd/ce5d00_21f4ae804d914d38a4087dfd159aa78f.pdf
    • https://cdn.shopify.com/s/files/1/0440/2659/3445/files/81644501382.pdf
    • https://cdn.shopify.com/s/files/1/0430/0197/0837/files/wosap.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000072d5.bin
1ad2898204ea5f609bc46f288f99aa8e2004b905c2568589418f65ae4ff5972f		 pdf-font-stream PDF embedded font (sfnt) at offset 0x72D5 5532 bytes
font_01_sfnt_off000085df.bin
fcb147df453680ba22e27a5b2a2bb0c881aa15ea1dad1a297e8f62392ecaafd4		 pdf-font-stream PDF embedded font (sfnt) at offset 0x85DF 10360 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.