Malicious PDF — malware analysis report

Static analysis result for SHA-256 c011fcce4b9abddb…

MALICIOUS

PDF

66.1 KB Created: 2020-09-04 21:48:32 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 19be4e048ad827de0b42394b211bdef1 SHA-1: bcf1564a6796a52b5014944345670ff5adf1ff1f SHA-256: c011fcce4b9abddb22e38930d5bf6941f1d830dfad618dd923dfa2b9754be3ce
152 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link T1059.001 PowerShell

The PDF contains a malicious redirector link disguised as a download for 'Busuu pro apk onhax'. The ML classifier strongly indicates maliciousness, and the PDF structure includes a large number of external links, typical of SEO spam or link farms designed to drive traffic to malicious sites. The primary malicious IOC is the redirector URL.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 4

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.club/wix?keyword=busuu+pro+apk+onhax
    • https://cdn.shopify.com/s/files/1/0461/1457/0404/files/19901358526.pdf
    • https://cdn.shopify.com/s/files/1/0437/4469/0337/files/ruwogofaboratavuvivus.pdf
    • https://cdn.shopify.com/s/files/1/0430/0174/1463/files/referencia_bibliogrfica_apa.pdf
    • https://cdn.shopify.com/s/files/1/0437/5887/8872/files/fibavilobigabu.pdf
    • https://static.usrfiles.com/ugd/3b0c81_f83927bc8e334c6c818920be13b7e05c.pdf
    • https://static.usrfiles.com/ugd/0fdb6d_64942cd5551f4b3eb3827f90fdd433b6.pdf
    • https://static.usrfiles.com/ugd/b8c837_be1bd70a8f0e42aeadec758b1412f293.pdf
    • https://static.usrfiles.com/ugd/36d413_bf17a244f11b4015bbf8d0ffef0160eb.pdf
    • https://static.usrfiles.com/ugd/b77b08_40ca56f867524893a50ca48dd9821013.pdf
    • https://static.usrfiles.com/ugd/09273f_c6e9036f918f4909a7121fb27b619a6a.pdf
    • https://static.usrfiles.com/ugd/70c1f8_e0bef81503a24fda943d331b290c3e15.pdf
    • https://static.usrfiles.com/ugd/f390e7_bb860d16ad5b4753bd6dfb920bb21a3a.pdf
    • https://static.usrfiles.com/ugd/12f4eb_0d4a941b37dd4ba1b660304b1c912ad7.pdf
    • https://static.usrfiles.com/ugd/b6aaa0_737c3a143dfb40368f35e890b56a7cbd.pdf
    • https://static.usrfiles.com/ugd/4f270c_c0c7a985e56c4ae68d8ac6f22fa438b3.pdf
    • https://static.usrfiles.com/ugd/9d66c7_13f4fde0a48f42d09942ffe61d88ddfa.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 5

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00007546.bin
88173983c06bbd2f2fb82e963dbf44bc5de085175a83c109ffaae1b83a923048		 pdf-font-stream PDF embedded font (sfnt) at offset 0x7546 3888 bytes
font_01_sfnt_off00008309.bin
79b9d03eb5be1a1dbf83609579359a408e293282f2da18af81bcaa19aab28cba		 pdf-font-stream PDF embedded font (sfnt) at offset 0x8309 5056 bytes
font_02_sfnt_off00009433.bin
aca80f532ffeca4013a91fab246c76fa243a979c6f3d5176dd5edf5f3cc49ca0		 pdf-font-stream PDF embedded font (sfnt) at offset 0x9433 14976 bytes
font_03_sfnt_off0000b5ae.bin
0349f8b7588e107267758703ca670de29a5c37e7671f984ebe91f1f218e3d2c6		 pdf-font-stream PDF embedded font (sfnt) at offset 0xB5AE 14552 bytes
font_04_sfnt_off0000e38d.bin
01af50fea4c132feb65b92ccf75f2838bf6dd4aa6553adc9d6b97b7c10aee4ff		 pdf-font-stream PDF embedded font (sfnt) at offset 0xE38D 16616 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.