Malicious PDF — malware analysis report

Static analysis result for SHA-256 b39bcba15399b578…

MALICIOUS

PDF

50.5 KB Created: 2020-09-01 22:10:11 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 8dca43e69cb795fd7bbd6611cf4d7e41 SHA-1: 9c5f2edac5d627e7592dbbccb0461f9f4d58dda3 SHA-256: b39bcba15399b5789d00d03f055e1defd835f71897e7acd581d1fafbb75081e8
200 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell T1204.002 Malicious Link

The PDF contains multiple invisible links, one of which redirects to a known malicious infrastructure. The document body, though heavily obfuscated, contains text that appears to be a lure for 'Nasus build guide s9', likely to trick users into clicking the malicious links. The PDF also contains a mass external PDF link farm, suggesting an attempt to manipulate search engine results or distribute further malicious content.

Heuristics 5

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Invisible PDF links to CAPTCHA-themed web lure high PDF_CAPTCHA_LINK_LURE
    PDF contains invisible clickable link annotations that point to a CAPTCHA/capcha-themed web path. This is a common phishing and ClickFix-style routing pattern: the PDF itself is inert, while the linked page performs the credential prompt or fake verification.
  • Clickable PDF combines external action with parser-evasion structure high PDF_ACTION_PARSER_EVASION
    PDF has an external clickable URI together with object graph or xref structures that make parsers disagree, such as divergent duplicate objects, parser divergence, or xref offset mismatch. That combination is stronger than a plain link: the document is both an outward-action carrier and a parser-confusion/evasion sample.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.cc/wix?keyword=nasus+build+guide+s9
    • https://static.usrfile
    • https://static.usrfiles.com/ugd/b8c837_60f941783ff54948925393a1e465d837.pdf
    • https://static.usrfiles.com/ugd/a2ebd8_3fea9bf45ffb45f7a4d7fa17ccf533ea.pdf
    • https://static.usrfiles.com/ugd/ce0e6d_799edaeb5ffe4347847670dec1b7d358.pdf
    • https://static.usrfiles.com/ugd/f90bad_4f189ed8ed0c4913b438ddf095fed768.pdf
    • https://cdn.shopify.com/s/files/1/0435/1026/8064/files/zevaxu.pdf
    • https://cdn.shopify.com/s/files/1/0430/6072/3865/files/386_country_code.pdf
    • https://cdn.shopify.com/s/files/1/0428/6644/2406/files/deronazajakupozapem.pdf
    • https://static.usrfiles.com/ugd/9374a7_ba911497c3414480a6a2d358f983759c.pdf
    • https://static.usrfiles.com/ugd/b8c837_b5b202edd1044a25b199b1d41445b8c9.pdf
    • https://static.usrfiles.com/ugd/9e41f0_db14cfc495f149ed89484492ba20304d.pdf
    • https://static.usrfiles.com/ugd/d7ba0f_6bf7760c8ce0449e85b0a417618b0758.pdf
    • https://static.usrfiles.com/ugd/1849a1_193aaaa1d8ee4398b71c0cbdb69fd7af.pdf
    • https://cdn.shopify.com/s/files/1/0431/6577/8076/files/58156583057.pdf
    • https://cdn.shopify.com/s/files/1/0433/6546/6270/files/breezing_form_captcha_no_image.pdf
    • https://cdn.shopify.com/s/files/1/0431/3153/5524/files/tanesupikipig.pdf
    • https://cdn.shopify.com/s/files/1/0434/3722/8188/files/xudokukimitisukifugimum.pdf
    • https://cdn.shopify.com/s/files/1/0429/5370/3590/files/case_files_pediatrics_download.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00007c66.bin
54af95192734425b11f659278077d467976b4e5b32f008d954f93780b698ce6a		 pdf-font-stream PDF embedded font (sfnt) at offset 0x7C66 5160 bytes
font_01_sfnt_off00008e04.bin
95a595a05dae50df7dd17639f07e9f8b86b3f2b97cf14c63b0c505a2fdf0b71b		 pdf-font-stream PDF embedded font (sfnt) at offset 0x8E04 15072 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.