Malicious PDF — malware analysis report

Static analysis result for SHA-256 518305914b45555e…

MALICIOUS

PDF

43.9 KB Created: 2020-09-01 04:15:33 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 043983583ed38271da155b484f7bb840 SHA-1: 73951788f6e439bbf5d0c9af75b5315e7383cd44 SHA-256: 518305914b45555e1dbfeffa474d50bfbce473e4e12165cdcba8988cb3f5f914
150 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell T1204.002 Malicious Link

The PDF contains embedded links that redirect to malicious infrastructure, as indicated by the PDF_MALICIOUS_REDIRECTOR_LINK heuristic. The document body, though partially corrupted, contains text suggesting a lure related to an "Xbox one teardown guide" and includes the malicious URL. The PDF_SEO_LINK_FARM heuristic indicates a large number of outbound links, many of which point to benign Shopify domains but are likely used to mask the malicious redirector.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.ru/pify?keyword=xbox+one+teardown+guide
    • https://cdn.shopify.com/s/files/1/0437/3794/0133/files/81253597465.pdf
    • https://cdn.shopify.com/s/files/1/0436/9183/5545/files/sorted_edges_algorithm.pdf
    • https://cdn.shopify.com/s/files/1/0430/5269/5703/files/51112006730.pdf
    • https://cdn.shopify.com/s/files/1/0435/0020/8294/files/benelux_map.pdf
    • https://static.usrfiles.com/ugd/b8c837_8c369762975a41ddad84b8131cc23851.pdf
    • https://static.usrfiles.com/ugd/bfbc46_f6275d038f184eb49050e4ce142dedda.pdf
    • https://static.usrfiles.com/ugd/54fa57_6aed6f8533274ab59d46bbd906f6201d.pdf
    • https://static.usrfiles.com/ugd/30e015_327d0eb9cb854fc196e2083df1c5de98.pdf
    • https://static.usrfiles.com/ugd/704566_2c0cb9e98ac34a4a912f4b1a907ec78f.pdf
    • https://static.usrfiles.com/ugd/e5cbe5_157ffb9ddfad46b6a1ac032b001174e0.pdf
    • https://static.usrfiles.com/ugd/b8c837_b22a068bcf0949e3abe4af7e7f038f4d.pdf
    • https://static.usrfiles.com/ugd/cd79e3_d74b8930474a441aa8b8fd27bd4d981d.pdf
    • https://static.usrfiles.com/ugd/b8c837_09afb7bc9c834125bc5547bdd4df0aea.pdf
    • https://static.usrfiles.com/ugd/6d59ab_94776d20d6254c83985df115c256f2b6.pdf
    • https://static.usrfiles.com/ugd/b8c837_e36fb5fe9e074d02bd5680be6ef6f5ae.pdf
    • https://static.usrfiles.com/ugd/33a16d_0bec993531114e219b5924539b4df8af.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00006ecc.bin
139bba6719377d9d1dce4c9c379f67f5649308382ca2e9d26dc26d4fe6de85da		 pdf-font-stream PDF embedded font (sfnt) at offset 0x6ECC 5060 bytes
font_01_sfnt_off00008026.bin
ca28b8dfac5c7462c62b7c2e198853848aa3f0c6d77d6049d377e401359d4653		 pdf-font-stream PDF embedded font (sfnt) at offset 0x8026 10060 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.