PDF malware analysis — malicious · dc2908ba1cbe4bfc

MALICIOUS

PDF

45.3 KB Created: 2020-08-30 03:27:28 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)

MD5: 079bc69f34b11072ba0017663436cff6 SHA-1: d85c451c2a8b52c33f485abdcc6e3c8226dfce24 SHA-256: dc2908ba1cbe4bfc96542c779ce83902c6bf7ce3b4a52151589400efe3c0b1b7

152 Risk Score

Malware Insights

MITRE ATT&CK

T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF contains a link disguised as a free movie download, which redirects to a known malicious URL. The PDF also hosts a large number of external links, many pointing to static.usrfiles.com, suggesting a link farm or SEO poisoning tactic. The ML classifier strongly indicated maliciousness.

Machine Learning

Nyx PDF Classifier malicious score 1.0000

Heuristics 4

PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK

PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM

Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL

The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://ttraff.cc/wix?keyword=tres+metros+sobre+el+cielo+pelicula+gratis
- https://static.usrfiles.com/ugd/b8c837_26f2fc0231674b76bc61ba89eb158e42.pdf
- https://static.usrfiles.com/ugd/b8c837_aa0ba7b175c2460bb63e320da8ee3f53.pdf
- https://static.usrfiles.com/ugd/b8c837_e7f2821b128948499859d5dc8850d0dc.pdf
- https://static.usrfiles.com/ugd/b8c837_d9a87dbf2e664bdab103f1c35b27ef26.pdf
- https://cdn.shopify.com/s/files/1/0434/9594/8454/files/36690777849.pdf
- https://cdn.shopify.com/s/files/1/0432/8344/7968/files/watchersweb_club_house.pdf
- https://static.usrfiles.com/ugd/b8c837_9eb19bd710c1428b980c5170d19da769.pdf
- https://static.usrfiles.com/ugd/d2cc1f_7ad68c2b3b2544c093b759e87033fcc5.pdf
- https://static.usrfiles.com/ugd/b8c837_91d4867ac1f04469b83472b97fd8454e.pdf
- https://static.usrfiles.com/ugd/22739b_37ca484edb354a279980386a319c148e.pdf
- https://static.usrfiles.com/ugd/9d869b_4b5fb71694bf40e78a2af23800273a7a.pdf
- https://static.usrfiles.com/ugd/3fc21f_336706270933470496b83207db98be5d.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 3

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off000063c4.bin` `a9a5a15d901c505dbcf2dddd2f300ae31391e4613d5ac85262fdedf55b769b0f`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x63C4	5116 bytes
`font_01_sfnt_off00007530.bin` `fe22ffbdb5e37a40545aa071e3e1b050786b56ce11937f48e4bdd6a45c06852f`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x7530	10924 bytes
`font_02_sfnt_off000098d1.bin` `9f355172d696dda274cac500966718f112ce76951f19577ac4888987ea6471b2`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x98D1	4324 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.