Malicious PDF — malware analysis report

Static analysis result for SHA-256 f53f24a2aac96018…

MALICIOUS

PDF

92.6 KB Created: 2020-09-19 08:44:11 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 3278067fb3d29be4ae0320d2c5f5608a SHA-1: 2f93fb48918b029e29051d89b2fb2a428b4094aa SHA-256: f53f24a2aac96018a8b138dc216482a26749c6d8f1a4c3941ed14d81089d57d6
152 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF was flagged as malicious by a machine learning classifier and contains a link to a known malicious redirector. The document body, though heavily obfuscated, contains the same redirector URL. The presence of numerous external PDF links suggests a link farm or SEO poisoning attempt, likely to funnel traffic to malicious sites.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9999

Heuristics 4

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.cc/wix?keyword=bowmaster+guide+croosade
    • https://50feafa3-e6e8-435f-a220-af6a304302e7.filesusr.com/ugd/ee9d3f_55007365b413464292398a7cdb34ef3a.pdf?index=true
    • https://b16af34d-2215-4e4a-8ce2-6ca4ae5e2b05.filesusr.com/ugd/451a43_587459b9db0e4f86a55617643899e284.pdf?index=true
    • https://ae7d9923-c9c4-4370-b25f-6ca6c589aae3.filesusr.com/ugd/b47706_d6673bfebce9486ca65714a791b52c9b.pdf?index=true
    • https://47ba63c7-5361-41d0-814f-4d3b846010f4.filesusr.com/ugd/82d61e_32a7bbcf6c5a4c6587414f3287992f70.pdf?index=true
    • https://cdn.shopify.com/s/files/1/0430/5911/8229/files/39759997151.pdf
    • https://cdn.shopify.com/s/files/1/0429/2991/4012/files/functional_plant_ecology.pdf
    • https://c1cc4e50-e70b-4a26-902a-c0df28efc55e.filesusr.com/ugd/b14caa_b8e221756ae2472ab8bac3a8d1a8388a.pdf?index=true
    • https://166cc7b3-5551-4215-b734-cb586809bc77.filesusr.com/ugd/a18601_4ce1e5b5ebb949fa805fcee13aa81018.pdf?index=true
    • https://29f7ea04-cc07-4112-8de5-2af057779993.filesusr.com/ugd/974a4e_5efed5f7f42b445a964ebc89fd079696.pdf?index=true
    • https://e1087147-6778-4106-90a8-ab108a053f7b.filesusr.com/ugd/b0c717_7ab2b6f64202426c832492d16670466c.pdf?index=true
    • https://e1e2a4d7-6797-4de4-b2f4-932476f2fa8e.filesusr.com/ugd/48bf55_b796fa1371cb4e688b0e2ceddcc795f2.pdf?index=true
    • https://949219c4-ef3d-4396-a635-36c82faf8c7c.filesusr.com/ugd/941881_402eda9b84814690a19f3353d1fe8b3c.pdf?index=true
    • https://7eaf8f94-8f3a-40f7-b3d2-8ed16aa90843.filesusr.com/ugd/3f0e57_1de9bd8bedc2417a838f2ef2c902ccf1.pdf?index=true
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 6

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000e465.bin
3d4760ca295192c89086870ebbac49c5a5945404ea6ab57fca452cf2db5f569a		 pdf-font-stream PDF embedded font (sfnt) at offset 0xE465 6440 bytes
font_01_sfnt_off0000f428.bin
31d7c545add3aa38d6bbee950acb7e6fa4010e6315020db85e61acb0a9ae64d4		 pdf-font-stream PDF embedded font (sfnt) at offset 0xF428 4004 bytes
font_02_sfnt_off0001024f.bin
be9a56f88c803867c7a7bc4958c46bcb84d5991a1f476d22a6500ae57f3f5092		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1024F 5368 bytes
font_03_sfnt_off00011483.bin
96b31e725a5f3d11eb30f1043ecb87bd8e4ea5d80fd07030753ed3f3798e7f37		 pdf-font-stream PDF embedded font (sfnt) at offset 0x11483 2188 bytes
font_04_sfnt_off00011e9a.bin
2d2ba76b814e71bfbe8730c8a4502cf08d774c238b6c6bcbf281e35b4aa2d65c		 pdf-font-stream PDF embedded font (sfnt) at offset 0x11E9A 15144 bytes
font_05_sfnt_off00014ebb.bin
107dd7461bad0ee7f69ec232d7edbfa51533cbe03462e0930b0bd999c9024e27		 pdf-font-stream PDF embedded font (sfnt) at offset 0x14EBB 16152 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.