Malicious PDF — malware analysis report

Static analysis result for SHA-256 dbfe1800785c6874…

MALICIOUS

PDF

36.3 KB Created: 2020-09-03 20:45:35 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: a4ed61800218ba4dee4c4f55c33afff7 SHA-1: c725e3e800782d107d8a24f1e83a8be70aabb6f4 SHA-256: dbfe1800785c6874fc72be8be463130284280800c4f87782e9a614173ff14926
150 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF contains a link to a redirector URL, which is a common tactic for phishing and malware distribution. The document body, though heavily obfuscated, contains text related to 'Java 64 bit windows 8 minecraft' and the malicious URL, suggesting a lure for potentially unwanted software or a scam. The PDF also hosts a large number of external links, many pointing to benign-looking PDFs, which is indicative of a link farm used to improve search engine ranking for malicious content.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.club/wix?keyword=java+64+bit++windows+8+minecraft
    • https://static.usrfiles.com/ugd/b8c837_5f200ab4ebdb4b10b98f773635ebf639.pdf
    • https://static.usrfiles.com/ugd/b8c837_3558ea531d904c7cae5524ff6f351d94.pdf
    • https://static.usrfiles.com/ugd/08fe48_1c052e08acbb46d3bcf5e68df0e166a0.pdf
    • https://static.usrfiles.com/ugd/7d1dc9_27ae43ef4fe94a15ae712b6b90c5caf9.pdf
    • https://static.usrfiles.com/ugd/67f5f7_06974b43c86a451491c984c0bd6a64dd.pdf
    • https://static.usrfiles.com/ugd/cb4a18_e786a11e0ba941c2afebdc1b1700c6dd.pdf
    • https://static.usrfiles.com/ugd/1c8c6c_2cd6115364cd4c1e8a537c90033bb0a2.pdf
    • https://static.usrfiles.com/ugd/34e21e_2c0e76ddf3d84c8e94cd9e0f59217594.pdf
    • https://static.usrfiles.com/ugd/cbdbb6_be6fea4ba1e34fbda3ffaeb224b9abd5.pdf
    • https://static.usrfiles.com/ugd/de60da_ad5475fb503f4dc78870859882f176a2.pdf
    • https://static.usrfiles.com/ugd/b8c837_ffb192fea79f455997aa342fe78ed78c.pdf
    • https://static.usrfiles.com/ugd/cb2bed_0c4b1726aa31439cb178f58ae8fcfecd.pdf
    • https://static.usrfiles.com/ugd/b8c837_a36ea42998094656aa0a9fa596767647.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00004eaa.bin
3c2e8b0bc5560885a7287634591edd849bfb1ad3b13ed4abb73e67413fba0a24		 pdf-font-stream PDF embedded font (sfnt) at offset 0x4EAA 5852 bytes
font_01_sfnt_off0000629b.bin
fde09d8b0730248c65b5cce1c63060ca8a3b21524dc31d4cb33051f631614056		 pdf-font-stream PDF embedded font (sfnt) at offset 0x629B 9904 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.