Malicious PDF — malware analysis report

Static analysis result for SHA-256 deb9d0d69a4aa71c…

MALICIOUS

PDF

38.8 KB Created: 2020-08-31 16:55:59 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: b50a06edacec4cc72e7194443ff61acc SHA-1: c2eeaaebf4a687f979aa23d15e845befc9f33cc2 SHA-256: deb9d0d69a4aa71c9266d3ae6aac1708541db5ba3a0c0de6c397100c16fc31e8
150 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF file contains multiple embedded URLs, with one specifically identified as a malicious redirector. This redirector points to a URL that appears to be a lure for downloading a modded APK for the game 'Alien Shooter TD'. The presence of a malicious redirector and the nature of the linked content suggest a phishing or malware distribution attempt.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.ru/wix?keyword=alien+shooter+td+mod+apk+revdl
    • https://static.usrfiles.com/ugd/93c935_7365b36ab01845c1a5765a259ad900c1.pdf
    • https://static.usrfiles.com/ugd/5899d5_383d4cbdff4d4af38162d6849126c7e7.pdf
    • https://static.usrfiles.com/ugd/d2cc1f_6fb982b7777a4daebd525019d56a29c0.pdf
    • https://static.usrfiles.com/ugd/a91264_ef231662ab764a7f9cd42f71a905d900.pdf
    • https://static.usrfiles.com/ugd/b8c837_c5c203be6fd04277a123e4f82d50e7ba.pdf
    • https://cdn.shopify.com/s/files/1/0431/9579/3568/files/26395705082.pdf
    • https://cdn.shopify.com/s/files/1/0437/1005/4554/files/96456083650.pdf
    • https://cdn.shopify.com/s/files/1/0436/0844/0990/files/20307911429.pdf
    • https://cdn.shopify.com/s/files/1/0434/2985/5393/files/beginner_workout_routine_at_home.pdf
    • https://cdn.shopify.com/s/files/1/0433/0687/7080/files/36149341097.pdf
    • https://static.usrfiles.com/ugd/1decf9_608b6b82fe8b4de889377da34423b7ee.pdf
    • https://static.usrfiles.com/ugd/764aaa_5c08a7cca6bf4e099e0b8d344109f178.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00005a39.bin
c6ca394841103d0c9024c761d332922d18e7e3c6276996932bfa535e85098365		 pdf-font-stream PDF embedded font (sfnt) at offset 0x5A39 5312 bytes
font_01_sfnt_off00006c1e.bin
051c584b4fb6d68263b9a54a62e6fd99bbd023417ce085b428d90923ee31588b		 pdf-font-stream PDF embedded font (sfnt) at offset 0x6C1E 9992 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.