PDF malware analysis — malicious · d966c13a475d31df

MALICIOUS

PDF

110.8 KB Created: 2020-08-29 16:10:53 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)

MD5: c3b6ff450f3ecea18f48b6596451d7fc SHA-1: bd1b011f3f53d0914c8a5cc9feb65bf4b97df49d SHA-256: d966c13a475d31dfabcafeb25bdd3ba85dbdd1c7409de66fcc08cd96b62f09a2

150 Risk Score

Malware Insights

MITRE ATT&CK

T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF file contains a link to a known malicious redirector, identified by the heuristic PDF_MALICIOUS_REDIRECTOR_LINK. The document body, though partially corrupted, includes the subject 'Fnis not loading animations' and the malicious URL, suggesting a social engineering lure. The ML classifier also strongly indicated maliciousness. The primary attack vector appears to be directing the user to a malicious site via the embedded link.

Machine Learning

Nyx PDF Classifier malicious score 1.0000

Heuristics 3

PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK

PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM

Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://ttraff.cc/wix?keyword=fnis+not+loading+animations
- https://static.usrfiles.com/ugd/b8c837_941a267a2d6b460f93fc17b5f551428b.pdf
- https://static.usrfiles.com/ugd/b8c837_d008720e64f5469e906359ab5684feeb.pdf
- https://static.usrfiles.com/ugd/b8c837_223ccd1e89e34bd7a0ffaf89c4021050.pdf
- https://static.usrfiles.com/ugd/b8c837_7ac9d0e5cf1f46d081f2ad6ed61f82e4.pdf
- https://static.usrfiles.com/ugd/b8c837_5890738ab8194d409fb46014ba53d5ac.pdf
- https://static.usrfiles.com/ugd/b8c837_24841f9d180540919a1375c8fd60701a.pdf
- https://static.usrfiles.com/ugd/b8c837_774e34e6324e41a6bbdb3a5d74b2e37a.pdf
- https://cdn.shopify.com/s/files/1/0462/9004/3040/files/gta_5_ppsspp_games_download_iso.pdf
- https://cdn.shopify.com/s/files/1/0430/5358/0441/files/nosez.pdf
- https://cdn.shopify.com/s/files/1/0451/1947/1781/files/clackamas_community_college_transcript_request_form.pdf
- https://static.usrfiles.com/ugd/b8c837_017a50ce0dae4a9c81b46eaa0092e1b2.pdf
- https://static.usrfiles.com/ugd/b8c837_74726b9b4fba41a4a90d5fc8d2fd26b2.pdf
- https://static.usrfiles.com/ugd/b8c837_a0d5f7a0aaf34f9e8a31f1af57986d26.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 4

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off0000bcb6.bin` `cea16098a53b31d3aa6a54df11d533f1b002b2b78f805a8a93b42b67dc927c09`	pdf-font-stream	PDF embedded font (sfnt) at offset 0xBCB6	50244 bytes
`font_01_sfnt_off000157d2.bin` `8899769f8778e25160d4b3ae29d2702034caf13e767b678e15c46ad5307dfe6d`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x157D2	5004 bytes
`font_02_sfnt_off000168c2.bin` `fe634f80fa93d0ad373dfcf30a2577284c954b44b786530e362586e6c9c55a7d`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x168C2	15252 bytes
`font_03_sfnt_off00019856.bin` `39b2f4b99ee08965fd4836f89f628a00cde8346cb181131bba0308e80db8fb67`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x19856	16092 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.