Malicious PDF — malware analysis report

Static analysis result for SHA-256 d85d03a3bc552251…

MALICIOUS

PDF

51.7 KB Created: 2020-09-18 11:43:29 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 022966f1cec7359fd1bb25193944560a SHA-1: 6c4e278d00da6ebb6feb2c699efc35ffcb618856 SHA-256: d85d03a3bc5522518264bda8def45e95641f34ab1afd5e6f4fbc6e4ed343ed1f
154 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF contains a link farm with a primary malicious redirector URL, indicating a phishing or scam attempt. The document body, though malformed, contains the malicious URL and appears to be a lure for a "Star Wars heroes mod guide". The presence of numerous links to external PDFs, many of which are benign, suggests a link farm designed to obscure the malicious destination. No scripts were extracted from this sample.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 4

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.ru/wix?keyword=star+wars+heroes+mod+guide
    • http://zobas.tarahanish.com/uploads/1/3/0/7/130740206/0e63798e670.pdf
    • http://xokone.kengallucciocup.com/uploads/1/3/0/7/130776499/84c6fc6a77fa.pdf
    • http://pivaxa.pure-sh.com/uploads/1/3/2/8/132814930/7085794.pdf
    • http://relaxa.thebearstfriendsfurevershow.com/uploads/1/3/2/3/132303001/4727713.pdf
    • http://tujibojup.victoriaseo.org/uploads/1/3/1/4/131483245/238558.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://cdn.shopify.com/s/files/1/0434/4456/8220/files/lugozazajorokanutule.pdf
    • https://cdn.shopify.com/s/files/1/0432/4599/4146/files/birthing_ball_size_guide.pdf
    • https://cdn.shopify.com/s/files/1/0429/3351/8489/files/letip.pdf
    • https://cdn.shopify.com/s/files/1/0438/0930/8829/files/weather_report_for_kamloops_bc_canada.pdf
    • https://0aeef7a8-e8ed-4dad-a690-268eabe6dda5.filesusr.com/ugd/e3325f_6cfed07c44a048f5abbba89fa517d57d.pdf?index=true
    • https://77d02208-6d65-4e92-a1a4-11f2c78570e4.filesusr.com/ugd/af0aa9_c1f4f92542154fc8b91cfdaa00b4bb1e.pdf?index=true
    • https://92e2cd98-7624-464d-b4e1-7d5477e10dac.filesusr.com/ugd/a31856_607c2cc2f38f4c159faa92eb1cc87d65.pdf?index=true
    • https://391aeb3a-d722-4589-9d3b-5042e5aa4b2a.filesusr.com/ugd/d2759c_e631ced841d94a45a1c63bb19fbc89fc.pdf?index=true
    • https://d466cee3-1879-4ca9-ad7c-9fb51dc725d0.filesusr.com/ugd/460efe_ec50b3b7e4d0455dadee76e5aaecb63d.pdf?index=true
    • https://1741aaef-0d95-465b-907c-acf6dd5e177b.filesusr.com/ugd/952c2e_ff62ba2156d0472084c1490f66bf9aa0.pdf?index=true
    • https://3a61d154-3f93-46f1-bf4b-5197cc283e8c.filesusr.com/ugd/3402b1_353208fa4d7b4b6cab5e1865b8d3d066.pdf?index=true
    • https://a21dad77-fa44-416b-9e85-5bc8f924aeb7.filesusr.com/ugd/906e9f_99570bc6b4634aa7aac5abd019585ff6.pdf?index=true
    • https://fe566b67-1d1c-40f1-b358-b939baa29969.filesusr.com/ugd/f34823_e22d103025a3471586523197f919d462.pdf?index=true
    • https://7c058920-f7f3-4d30-9a8a-583cf13b222a.filesusr.com/ugd/54e393_80b9f03a735d4d5a81659d0f7ba85c08.pdf?index=true
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00008af3.bin
3cfe3d9ca79cdde3f9e5cd87168a97b9aaf7d2cdabfcb5c05c6c9ae96d306d54		 pdf-font-stream PDF embedded font (sfnt) at offset 0x8AF3 5404 bytes
font_01_sfnt_off00009d35.bin
9a248a649f139346f3142c009554c7d6cf6a0b37df92a08e92346a8a78682606		 pdf-font-stream PDF embedded font (sfnt) at offset 0x9D35 10584 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.