Malicious PDF — malware analysis report

Static analysis result for SHA-256 efb91c521c34736c…

MALICIOUS

PDF

42.8 KB Created: 2020-08-30 03:52:01 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 0fb207eb9ebea4c15788ceb53c393e37 SHA-1: c405d6066a5966aa78d895aa1246edcaa1ce2b86 SHA-256: efb91c521c34736c12c8d2c47fab42239c3bc09cdb9f0029168c30f6356709e6
152 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF contains a prominent link that redirects to a malicious URL, disguised with a keyword related to 'Google play services'. This indicates a phishing or social engineering attempt to trick the user into visiting a potentially harmful site. The presence of a large number of external links, many pointing to static.usrfiles.com, suggests a link farm used for SEO poisoning or to obscure the final malicious destination.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 4

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.cc/wix?keyword=google+play+services+13.+2.+78+apk
    • https://static.usrfiles.com/ugd/b5aed9_d6ef10628a604631b984d8156d1fb5fe.pdf
    • https://static.usrfiles.com/ugd/b8c837_a32a52964d8f440ab9dfd5f79824a3d7.pdf
    • https://static.usrfiles.com/ugd/b8c837_ede159e9ff6148fd9653b5df92031ea0.pdf
    • https://static.usrfiles.com/ugd/91e123_8be12bd6b35c4a43ad9064e27c3932f0.pdf
    • https://static.usrfiles.com/ugd/b8c837_96ef957819994517b88d579f13cb03cc.pdf
    • https://static.usrfiles.com/ugd/de65f7_ee9fff2f6a9e4d82a5693fe82959fc1d.pdf
    • https://static.usrfiles.com/ugd/b8c837_f6f01d067cf54a63b6bc79927bb47493.pdf
    • https://static.usrfiles.com/ugd/b8c837_c9164efb46d5406fb378750e86610c5d.pdf
    • https://static.usrfiles.com/ugd/b8c837_b97c27ea8c4e48958c5882783e11ffa9.pdf
    • https://static.usrfiles.com/ugd/6cf0f5_e4913e9d06d5421687c7de39c9232ad1.pdf
    • https://static.usrfiles.com/ugd/dd4472_62a1483adb6b479a950df21b4d323326.pdf
    • https://static.usrfiles.com/ugd/b8c837_626a42b00ac241278c55a1596d4feacd.pdf
    • https://static.usrfiles.com/ugd/b8c837_91879f6d3d30418fb32567c1b1ade972.pdf
    • https://static.usrfiles.com/ugd/b8c837_ab918a06946b4d48873b31213d183f3a.pdf
    • https://static.usrfiles.com/ugd/b8c837_b2fbf2502bc746fe86a3c4dec6c5054f.pdf
    • https://static.usrfiles.com/ugd/26938b_c417f13b118d4573b45e86a44d154259.pdf
    • https://static.usrfiles.com/ugd/b98abb_89e4dc9df136417db63b39baddf1e96b.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00005268.bin
572cc24aad83f3872207a61c58c5f63086c194af29333d6bd42eda97ed3459c8		 pdf-font-stream PDF embedded font (sfnt) at offset 0x5268 6012 bytes
font_01_sfnt_off00006715.bin
190ec95943c07c49643e7b7483040a48201083569bbda747fe1b827143b800c8		 pdf-font-stream PDF embedded font (sfnt) at offset 0x6715 9500 bytes
font_02_sfnt_off000087e9.bin
aa8debcae1a06655930fb751c282738fd584aa2c6b3da21549c514e4a724bb9d		 pdf-font-stream PDF embedded font (sfnt) at offset 0x87E9 16372 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.