Malicious PDF — malware analysis report

Static analysis result for SHA-256 b9d2649c7c4cd100…

MALICIOUS

PDF

48.6 KB Created: 2020-09-10 21:47:33 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 0317d6956b76a68fd616991f42f9bca9 SHA-1: f44e40530db5de7cfa7347f08b5f81896c94e583 SHA-256: b9d2649c7c4cd100f1ec3866997e504b429630b53587e103e2eda91cca066517
150 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell T1204.002 Malicious Link

The PDF contains a link farm and a specific malicious redirector URL, disguised with a lure related to 'Brawl Stars'. The primary malicious URL is https://ttraff.club/wix?keyword=brawl+stars+level+up+guide, which is likely used to redirect the user to further malicious content. The ML classifier also strongly indicated maliciousness.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.club/wix?keyword=brawl+stars+level+up+guide
    • http://files.hobocookoff.com/uploads/1/3/1/3/131398224/cb924802.pdf
    • http://files.kansascoringandcutting.com/uploads/1/3/1/4/131406676/6b42a753512461.pdf
    • http://gofaxofes.neisca-iowaclassic.com/uploads/1/3/0/9/130969363/5288505.pdf
    • http://rurusewe.robyngraycounseling.com/uploads/1/3/2/7/132712139/1ccdebcc.pdf
    • http://files.jouhlan.net/uploads/1/3/1/8/131871817/9431670.pdf
    • http://files.marinerspoint.com/uploads/1/3/2/3/132302987/a19fd34978489.pdf
    • http://files.tarrytownconnected.com/uploads/1/3/1/3/131398143/laropinuzupoz.pdf
    • http://zirupem.moyanicheallaigh.com/uploads/1/3/1/4/131438474/lenudasib-fudowogi-nimuzel.pdf
    • http://rakadebo.eighttreasuresyoga.com/uploads/1/3/0/9/130969339/gavubejezubiramosoxi.pdf
    • https://cdn.shopify.com/s/files/1/0434/0531/2163/files/21205771915.pdf
    • https://cdn.shopify.com/s/files/1/0432/7381/4182/files/rekutorekuxaluf.pdf
    • https://cdn.shopify.com/s/files/1/0440/1663/1973/files/axiology_in_qualitative_research.pdf
    • https://cdn.shopify.com/s/files/1/0431/0640/2453/files/wuwufenavudolot.pdf
    • https://cdn.shopify.com/s/files/1/0435/5640/5411/files/41700107529.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00006a2c.bin
b844c0bbc563c0dbbbb949a194e1e204df4216d9a23bc5e49348d90341846aca		 pdf-font-stream PDF embedded font (sfnt) at offset 0x6A2C 5328 bytes
font_01_sfnt_off00007c71.bin
8c0608b74b9df93fb8affe7cbbdbeae57d30bfefc136f5d9dabcd611db01db49		 pdf-font-stream PDF embedded font (sfnt) at offset 0x7C71 10520 bytes
font_02_sfnt_off0000a081.bin
df1d2c903cabdf2976887e260da0b25217edeb5ce2b71f315001024534e8e210		 pdf-font-stream PDF embedded font (sfnt) at offset 0xA081 16060 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.