Malicious PDF — malware analysis report

Static analysis result for SHA-256 ae7e04bff296bcd1…

MALICIOUS

PDF

42.5 KB Created: 2020-09-01 04:14:33 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 1e031e0695612507582a798d017bfcb0 SHA-1: 79a7c95bc66fb58f2fb12af59023076709fd868b SHA-256: ae7e04bff296bcd18ee5e17a73f7848e3a83aff780886c1cb1ff5e5456c88516
152 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF file was identified as malicious due to its extensive use of external links, with a critical heuristic firing for a malicious redirector. The document body, though heavily obfuscated, contains a URL that mirrors the one identified by the heuristic, suggesting a lure related to 'marvel future fight latest apk data'. The presence of numerous links to static.usrfiles.com, even if benign, contributes to the overall link farm characteristic. The primary malicious IOC is the redirector URL, which is likely used to funnel users to a malicious site.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 4

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.cc/wix?keyword=marvel+future+fight+latest+apk+data
    • https://static.usrfiles.com/ugd/d2751c_0caf03df413341ef866a8d39a2bbefe0.pdf
    • https://static.usrfiles.com/ugd/769f78_ead74e65e1fb42248fe25553d32f3043.pdf
    • https://static.usrfiles.com/ugd/b8c837_14e3c7e9331d406da9326c96fd478f5d.pdf
    • https://static.usrfiles.com/ugd/b8c837_9825a9fdc3954a0e9e0552a59b86333b.pdf
    • https://static.usrfiles.com/ugd/0cd019_ab43510132df49fdbaf97401b00f6bd8.pdf
    • https://static.usrfiles.com/ugd/08fe48_bd3446fb777147e8bbd22676ec7137a8.pdf
    • https://static.usrfiles.com/ugd/10b11f_9595b014b4964d788464618e375373a7.pdf
    • https://static.usrfiles.com/ugd/f80014_634cc8f7050242eba83e294d1c289438.pdf
    • https://static.usrfiles.com/ugd/b8c837_4985129fd57a4576b36b95f300dba106.pdf
    • https://static.usrfiles.com/ugd/b8c837_76fc61190625422d836c60101f99e96c.pdf
    • https://static.usrfiles.com/ugd/769f78_3595421f3c29479f88d7ddaf17e7a77d.pdf
    • https://static.usrfiles.com/ugd/286fb8_5409a02369534dc98a0cbfb2235e7758.pdf
    • https://static.usrfiles.com/ugd/b8c837_d4e0950ca95c47c4bbd80cc14a98f104.pdf
    • https://static.usrfiles.com/ugd/f4de5e_220c8959147b484680f17fe446ad2e8d.pdf
    • https://static.usrfiles.com/ugd/3f0e57_6aa8b829a3a94e1e85f45df1f74651cc.pdf
    • https://static.usrfiles.com/ugd/0d002d_90a718a0c490435caf492508536e6099.pdf
    • https://static.usrfiles.com/ugd/c20ea7_17569d060e284f63895e26b41a1fd37b.pdf
    • https://static.usrfiles.com/ugd/cb2bed_37170671285f4f03bd607279209a7f86.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000679e.bin
88cdf42624cf6184ad3e3e861cdd877c05205038565e7b4dfe7020990440f74b		 pdf-font-stream PDF embedded font (sfnt) at offset 0x679E 5432 bytes
font_01_sfnt_off00007a28.bin
b76ccb9ef57849f99e92373c0c86f7bc7d4ba75f15e4591dc10166bd99fb1b5d		 pdf-font-stream PDF embedded font (sfnt) at offset 0x7A28 10128 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.