Malicious PDF — malware analysis report

Static analysis result for SHA-256 e187fd8117938d81…

MALICIOUS

PDF

45.2 KB Created: 2020-09-13 02:00:09 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 10ddae35d0835e7fe11c550ce7a0ae27 SHA-1: 342ef40433238cd13b5abd934f3fdf13c06b34f7 SHA-256: e187fd8117938d811661e778ccc9a328c147aa2c154b0b06d36b72d77b7d6c90
152 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF contains a critical heuristic firing indicating it links to known malicious redirector infrastructure, specifically a URL related to 'gta 5 manual transmission xbox one'. Another critical heuristic identifies it as a PDF link farm with numerous external links, many pointing to suspicious domains. The ML classifier also strongly flagged this PDF as malicious. The document body, though heavily obfuscated, contains the same lure text and URLs, confirming the intent to redirect users to potentially harmful sites.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 4

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.link/pify?keyword=gta+5+manual+transmission+xbox+one
    • http://narapoxo.maidencaliforniatribute.com/uploads/1/3/1/4/131454093/758143.pdf
    • http://files.chimscan.net/uploads/1/3/0/7/130738524/1728907.pdf
    • http://sudunesa.thequestofjz.com/uploads/1/3/0/8/130814229/koninoxawibipop_bakukarelema_sukadawilex_bipadozebozoga.pdf
    • http://files.mollybernard.com/uploads/1/3/1/3/131380511/524dd9b88dc3.pdf
    • https://cdn.shopify.com/s/files/1/0437/2119/5688/files/zonajumexuganiligogud.pdf
    • https://cdn.shopify.com/s/files/1/0430/2176/2723/files/autumn_leaves_piano_free.pdf
    • https://cdn.shopify.com/s/files/1/0440/3609/6150/files/64829487311.pdf
    • https://static.usrfiles.com/ugd/6c98bc_9cd761ffbeb94a609e9f41f04f87ef91.pdf
    • https://static.usrfiles.com/ugd/fbccce_b48978dc7a0b40a8a76238b8b58c844f.pdf
    • https://static.usrfiles.com/ugd/b48b60_9dbac16dccf248618e8870e35a10d6c4.pdf
    • https://static.usrfiles.com/ugd/808d8c_dcf4592ce5af4c0cbda618f99df751ec.pdf
    • https://static.usrfiles.com/ugd/85c99c_90834f9d5de5442b999fbe86e1a93bd3.pdf
    • https://static.usrfiles.com/ugd/838e7e_1c9213f4bbd847a5932ee9858ee53189.pdf
    • https://static.usrfiles.com/ugd/4d935e_874aa9a0f08a460f824a3987a94e91e2.pdf
    • https://static.usrfiles.com/ugd/cbdbb6_162501785ae04ed2aa589cb81ea5459d.pdf
    • https://static.usrfiles.com/ugd/b8c837_a6560a86dbcf4117848d2f1d9867529d.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000063f2.bin
81f550c6d0ac0944b49a62ebd442e817204eb5df3e2c0a35a26d5822c85032ac		 pdf-font-stream PDF embedded font (sfnt) at offset 0x63F2 5076 bytes
font_01_sfnt_off00007524.bin
3c4cba99f16a9313733f2916c9a6b3071c6f1910c182a7fdb9d3dadd04522587		 pdf-font-stream PDF embedded font (sfnt) at offset 0x7524 10668 bytes
font_02_sfnt_off000099a3.bin
1158d95dac44631f497756703988ba3645251422e7ff0015d3fca430225e7c3e		 pdf-font-stream PDF embedded font (sfnt) at offset 0x99A3 4324 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.