PDF malware analysis — malicious · 95d13c8e20ab59e5

MALICIOUS

PDF

43.6 KB Created: 2020-09-17 10:51:02 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)

MD5: bfb220f42127c18369eaf0b6f5d2c1b0 SHA-1: a54900922128ecea26536869716bb586b02d62fd SHA-256: 95d13c8e20ab59e5951dab6a636d5f9fcb6f8f493d4837ea6deaf93d0ef2c5eb

150 Risk Score

Malware Insights

MITRE ATT&CK

T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF contains a significant number of embedded links, many of which point to known malicious redirectors or link farms. The document body, though heavily obfuscated, contains a URL that appears to be a lure for 'Diablo 2 single player character files', suggesting a social engineering pretext. The heuristic firings confirm the presence of malicious redirector links and a link farm, indicating the document's primary purpose is to drive traffic to potentially harmful sites.

Machine Learning

Nyx PDF Classifier malicious score 1.0000

Heuristics 3

PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK

PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM

Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://ttraff.club/wix?keyword=diablo+2+single+player+character+files
- http://files.clubsaustralia-industrial.com/uploads/1/3/0/7/130739470/810e3fb5d.pdf
- http://tefepit.thewaveindustries.com/uploads/1/3/1/4/131406274/digaxubumifavu.pdf
- http://werufo.sarahthurstensondesign.com/uploads/1/3/1/8/131856439/36eba.pdf
- http://files.boundlessbw.com/uploads/1/3/1/6/131606984/mevitan.pdf
- https://cdn.shopify.com/s/files/1/0486/5648/2472/files/santa_cruz_ukulele_for_sale.pdf
- https://cdn.shopify.com/s/files/1/0432/0631/2098/files/60126800786.pdf
- https://cdn.shopify.com/s/files/1/0435/0348/5092/files/51248324632.pdf
- https://cdn.shopify.com/s/files/1/0434/5049/9222/files/dobezasegetorisikuvosovod.pdf
- https://cdn.shopify.com/s/files/1/0458/6271/5545/files/25195697936.pdf
- https://f02f8ed3-4241-4f00-a003-32bf9914e47b.filesusr.com/ugd/7ef0dc_54ede5fb3d4040cab3605982a237b012.pdf?index=true
- https://ae28867e-d50e-4b6c-abe9-d2849dc97693.filesusr.com/ugd/c8683e_1d39f0acb37641a985c0bae3727f9421.pdf?index=true
- https://60488884-6615-4312-9886-bdd4920eb22b.filesusr.com/ugd/66f3f9_eec23ecb386f41c3997a43ef1933b722.pdf?index=true
- https://86b9a975-0111-467d-a84e-9b5d5b8e0e60.filesusr.com/ugd/4cf28d_dd1c51422f2f41f8a1fec9fcd8c0a852.pdf?index=true
- https://1106840d-9b18-4aed-8d54-c013d87e1c76.filesusr.com/ugd/cfbfd2_cb339fc4b8024c65ad0490b6261c3e8e.pdf?index=true
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off00006a89.bin` `11f75f9a0d4f1644306bf1f969f10d2b36be3d5147982b74af459a25f5dd98d3`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x6A89	5652 bytes
`font_01_sfnt_off00007ddb.bin` `193062bd96a5f1699ecedbac3af38b94837eea2257de1f911f97675863824c8b`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x7DDB	10528 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.