Malicious PDF — malware analysis report

Static analysis result for SHA-256 f93e42011e882295…

MALICIOUS

PDF

35.8 KB Created: 2020-08-30 01:32:04 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 101faf79f800c85ed0ade02d86950b54 SHA-1: db394dd2d756f3df061502efdc69555a69c2e414 SHA-256: f93e42011e882295533a5a84b4224e069c908c1c819f819157bfe32ef650799e
152 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF was flagged as malicious due to a critical heuristic identifying it as a redirector link to known malicious infrastructure. It also contains a large number of external PDF links, suggesting a link farm. The primary malicious IOC is the redirector URL, which is likely used to lure victims to a phishing or malware-hosting site.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 4

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.cc/wix?keyword=loteria+de+figuras+geometricas
    • https://static.usrfiles.com/ugd/856cea_6207893eaa4b4a29997e769f3fda39ca.pdf
    • https://static.usrfiles.com/ugd/b8c837_6a60fd1361b84521a6891fcd4932acbd.pdf
    • https://static.usrfiles.com/ugd/3aee12_20a4209281d2483c95bb86e0962997c4.pdf
    • https://static.usrfiles.com/ugd/b8c837_7dd8aa1f5fb74c2fb303887fcf4ac9e6.pdf
    • https://cdn.shopify.com/s/files/1/0427/7121/8588/files/randomized_quicksort_java.pdf
    • https://cdn.shopify.com/s/files/1/0428/0313/4627/files/pibeseletovifuboxaduwofuz.pdf
    • https://cdn.shopify.com/s/files/1/0434/4460/0999/files/broken_window_theory.pdf
    • https://cdn.shopify.com/s/files/1/0458/0687/8886/files/does_not_masturbaiting_increase_testosterone.pdf
    • https://cdn.shopify.com/s/files/1/0430/8434/9591/files/number_worksheets_1_20.pdf
    • https://cdn.shopify.com/s/files/1/0434/3015/0309/files/zurolixiwubi.pdf
    • https://cdn.shopify.com/s/files/1/0429/0910/6335/files/94697711376.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00004d9c.bin
fc7cc2965940d71735c3ccc72186f902d88f655004fedbd67eaf8c58a22347e9		 pdf-font-stream PDF embedded font (sfnt) at offset 0x4D9C 5252 bytes
font_01_sfnt_off00005f65.bin
480eab2990bceb912323e281015adaa086ad26016b46e2986680970b1ae7c72d		 pdf-font-stream PDF embedded font (sfnt) at offset 0x5F65 10380 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.