Malicious PDF — malware analysis report

Static analysis result for SHA-256 b9b14a655da34d70…

MALICIOUS

PDF

58.4 KB Created: 2020-08-31 00:56:13 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 9755a0f11109f397c351d610f22b66ff SHA-1: a0b992f2edec0330ff2012f1e602e2e7b61bd40b SHA-256: b9b14a655da34d7095af6efd3a0104ffefa092515c2c0d9ccd9081e84e8201ea
150 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF document contains a lure related to 'Trucos de gta ps2' (GTA PS2 cheats) and embeds a link to a known malicious redirector. The PDF_MALICIOUS_REDIRECTOR_LINK heuristic confirms this, and the ML_NYX_PDF_MALICIOUS score indicates a high probability of malicious intent. The document body, though heavily obfuscated, contains the same lure and the malicious URL.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.cc/wix?keyword=trucos+de+gta+ps2
    • https://static.usrfiles.com/ugd/b8c837_f69721c1e91e4e1899830ade4b079143.pdf
    • https://static.usrfiles.com/ugd/b8c837_1a62a605337f4ad6aaa72d7dce70cdf4.pdf
    • https://static.usrfiles.com/ugd/b8c837_d8010d0e50c94d93b985fc036080c50c.pdf
    • https://static.usrfiles.com/ugd/ea2f88_39c48c04d21b45648ada3dbdbf8073dd.pdf
    • https://static.usrfiles.com/ugd/314c35_22272128ae044458900e0febef7f3a05.pdf
    • https://static.usrfiles.com/ugd/b8c837_beb9bb55217544229a6b1741dcba9f81.pdf
    • https://static.usrfiles.com/ugd/b8c837_eea4112683c54a28bbe9606a482bf2ab.pdf
    • https://static.usrfiles.com/ugd/b8c837_4db56a3895fa4965a81bf66695c320eb.pdf
    • https://static.usrfiles.com/ugd/cfa91a_a1d613e2ce554527951b07b6da95dbbf.pdf
    • https://static.usrfiles.com/ugd/429b25_1c7e380acb3e4a6a9b494aad71602b3e.pdf
    • https://static.usrfiles.com/ugd/de3d83_8674de30007e43429020741869b2fb14.pdf
    • https://static.usrfiles.com/ugd/b8c837_37ebca5215094a1cb1e566d6df96baff.pdf
    • https://static.usrfiles.com/ugd/99afdc_6895664c5e79495d924b3cb2f69ac44f.pdf
    • https://static.usrfiles.com/ugd/cf14a4_f1d3c871bba446b6897d689631e68499.pdf
    • https://cdn.shopify.com/s/files/1/0433/2588/2518/files/welelobasotexutawato.pdf
    • https://cdn.shopify.com/s/files/1/0431/9051/7917/files/82856398267.pdf
    • https://cdn.shopify.com/s/files/1/0433/0687/7080/files/76423385748.pdf
    • https://cdn.shopify.com/s/files/1/0428/3170/8316/files/wigaruwekizided.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00009b58.bin
89071ecaa9a3729d97acc7ff218873999537356a7b60ba42e4fbe87af2d11f8a		 pdf-font-stream PDF embedded font (sfnt) at offset 0x9B58 5292 bytes
font_01_sfnt_off0000ad68.bin
6b03e2c844741457516690c54fe3436f9e5a0b60bfd7123561aec2158c9dac4e		 pdf-font-stream PDF embedded font (sfnt) at offset 0xAD68 14836 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.