Malicious PDF — malware analysis report

Static analysis result for SHA-256 f5a09b2c1b788404…

MALICIOUS

PDF

62.0 KB Created: 2020-09-16 20:22:21 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 2a8ca6c65eef9df9e17384c3746dda53 SHA-1: 3cb34dd6097cc93f8c15f6f5e2138a15d69a75c2 SHA-256: f5a09b2c1b7884049f2c8603a143b079ff783fc885480530f6d682b144dae221
154 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell T1204.002 Malicious Link

The PDF file contains a large number of embedded links, including a known malicious redirector. The document body text, though partially corrupted, suggests a lure related to a "Starfinder operations manual". The presence of numerous external links, many pointing to file hosting services, indicates a link farm or redirection strategy to distribute further malicious content. The ML classifier also strongly flagged this PDF as malicious.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 4

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.link/wix?keyword=starfinder+operations+manual
    • http://files.veronicapark.space/uploads/1/3/2/8/132816066/7043026.pdf
    • http://files.indianaturtlecare.com/uploads/1/3/0/7/130740242/3306832.pdf
    • http://files.hypnosisgta.com/uploads/1/3/1/1/131164153/vogutanokabusipiziz.pdf
    • http://sukatizi.animalplaceveterinaryhospital.com/uploads/1/3/1/6/131606233/modid_gonidipe_lisavodepona.pdf
    • http://files.naturparkmaribo.dk/uploads/1/3/2/7/132710784/9755000.pdf
    • https://2aff94b9-d750-4a51-ab07-a6153adabf91.filesusr.com/ugd/e4ee87_bc53f10ea80a4d55b3db75d095547695.pdf?index=true
    • https://4e6f8308-4f45-46de-aa9f-9ccbad9ecd38.filesusr.com/ugd/2994dd_0cccbf8e47034726a5e7012d9dec7896.pdf?index=true
    • https://bc2f5dc2-3952-4a55-82a7-12bb7b594127.filesusr.com/ugd/1a1092_909c142eb91948fa909fc33a1fa28f5c.pdf?index=true
    • https://9e19975d-9329-48d5-8683-e7c24cf6f713.filesusr.com/ugd/b361c6_27773007d7d14d0e92f8124f1ab50190.pdf?index=true
    • https://2cb3cedf-3fc7-40d9-84db-ac45eb0d0798.filesusr.com/ugd/269bb8_51976fc514aa4bd89f514aa91e57d0c7.pdf?index=true
    • https://4ce8a828-586d-414c-b48b-b70b4580e075.filesusr.com/ugd/5af86b_072903b5437d43cca60cb757bb4565b1.pdf?index=true
    • https://5f4bc5d6-944b-410a-bc06-e5b14c489a93.filesusr.com/ugd/a8ca0f_43d966dc331f4ab588e0b9315d5f141b.pdf?index=true
    • https://06090765-c5dd-45f8-8eaa-b0d3ae226864.filesusr.com/ugd/e80f4c_a4c01e0f37b4437994d1ab181f0172c0.pdf?index=true
    • https://9400ae49-5fc5-42f7-8f81-1952de9aad70.filesusr.com/ugd/2eff39_8e35495bc8684190a1dd203fbc582449.pdf?index=true
    • https://967145e8-0c63-4514-8c13-45fcba1b851e.filesusr.com/ugd/158fb9_c80f18e821b94a92b7a2b48cadff2424.pdf?index=true
    • https://a9b2f81d-7574-44ec-895b-a8c33ca75059.filesusr.com/ugd/ac8c68_3c77e1842b64440d9348afafca888229.pdf?index=true
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000aa61.bin
85b692c1c636aed9ab1240d2a7361179fdd6c0849396a06064984f922e967b4f		 pdf-font-stream PDF embedded font (sfnt) at offset 0xAA61 2828 bytes
font_01_sfnt_off0000b45b.bin
4eba2d60975f4c91244944505249b7b1504686bfcbbce1f09749749b011d837d		 pdf-font-stream PDF embedded font (sfnt) at offset 0xB45B 5292 bytes
font_02_sfnt_off0000c642.bin
6fa5fd85c17af33b02d347d31d29ec4e2dc03338567986c5fd8ecaac246cb8df		 pdf-font-stream PDF embedded font (sfnt) at offset 0xC642 9976 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.