Malicious PDF — malware analysis report

Static analysis result for SHA-256 61069dc5ecdcf3c1…

MALICIOUS

PDF

57.2 KB Created: 2020-08-31 00:53:59 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 7e17659c8bd46351be932aa27d952ce6 SHA-1: 2ebbcf928fbb7b4e3137442139ecdfc85546d1d7 SHA-256: 61069dc5ecdcf3c1da325f4abd11322ae5282899b91b86c5f3ce1ca03a7ca5aa
194 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript T1203 Exploitation for Client Execution

The PDF contains embedded links that redirect to malicious infrastructure, disguised as a game mod download. The heuristic 'PDF_SEO_LINK_FARM' indicates a large number of outbound links, suggesting a link farm or spamming operation. The ML classifier and the 'PDF_MALICIOUS_REDIRECTOR_LINK' heuristic strongly indicate malicious intent, likely to deliver a second-stage payload or phish credentials.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 5

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Payment redirection / bank-detail change lure high SE_PAYMENT_REDIRECT_LURE
    Document describes new or changed bank, wire, ACH, IBAN, SWIFT, or routing instructions — a high-value business-email-compromise pattern
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.cc/wix?keyword=fallout+character+overhaul+no+dlc
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://static.usrfiles.com/ugd/822ecd_48770737adac450d85b582fe62b754e3.pdf
    • https://static.usrfiles.com/ugd/72216b_88f212721fee4fa8a8969c8a3d0bae93.pdf
    • https://static.usrfiles.com/ugd/af0aa9_16d511ed12144528b074d2c9bc2e79c4.pdf
    • https://static.usrfiles.com/ugd/b8c837_0252aac7b25f41178d4ae09497bf6393.pdf
    • https://static.usrfiles.com/ugd/1a89c8_67195b3c95254a9bb8d0400ccee80e46.pdf
    • https://static.usrfiles.com/ugd/b8c837_b37c9f6fbf0a444d93ca618b94f10773.pdf
    • https://static.usrfiles.com/ugd/d216cb_1aec652747ca49bbbdb8fcbade51617d.pdf
    • https://static.usrfiles.com/ugd/95089d_56d9c65abf184e2b9317b1c5545ee691.pdf
    • https://static.usrfiles.com/ugd/b8c837_13904c4f41c241c282d43c591d4faf7b.pdf
    • https://static.usrfiles.com/ugd/b8c837_7331cb75466f4d14ab4eec207a33c1d8.pdf
    • https://cdn.shopify.com/s/files/1/0435/3874/3450/files/zuxipujabilesekosox.pdf
    • https://cdn.shopify.com/s/files/1/0433/0687/7080/files/taniseraguvifololesugom.pdf
    • https://cdn.shopify.com/s/files/1/0431/5647/1970/files/scholarship_essay_format.pdf
    • https://cdn.shopify.com/s/files/1/0465/4684/5854/files/carrie_the_musical_script.pdf
    • https://cdn.shopify.com/s/files/1/0434/8385/7053/files/womujekidimu.pdf
    • https://cdn.shopify.com/s/files/1/0430/8549/6482/files/mamozuxodumuxopodokeko.pdf
    • https://cdn.shopify.com/s/files/1/0429/1949/3785/files/osrs_inferno_written_guide.pdf
    • https://cdn.shopify.com/s/files/1/0427/7665/8087/files/decision_support_and_business_intell.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000a2b5.bin
e3d41145dc32b4ce36e95a9cbab533f6f8f29bffb18c83e56dc3fd0269727bc0		 pdf-font-stream PDF embedded font (sfnt) at offset 0xA2B5 4864 bytes
font_01_sfnt_off0000b33b.bin
942fcb41187d68f71353152d4d116ca355b09b307593bda658a9d847b356cb37		 pdf-font-stream PDF embedded font (sfnt) at offset 0xB33B 10680 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.