Malicious PDF — malware analysis report

Static analysis result for SHA-256 1e3f67afbb2ab885…

MALICIOUS

PDF

40.1 KB Created: 2020-09-16 22:48:29 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: a50ae538a1604e780c6e1e53e9ca6e5f SHA-1: bf4e9ea21390638d6e6c95ff96cefd70202e01de SHA-256: 1e3f67afbb2ab885006c0f91612ad742fa8928adf68a35d28e047234cb707e5c
150 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF contains a malicious redirector link disguised as a Nespresso machine manual, aiming to trick users into clicking it. The ML classifier strongly indicates maliciousness. The document body, though heavily obfuscated, contains the malicious URL and a list of other URLs, likely part of a link farm to improve SEO for malicious content.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.me/wix?keyword=nespresso+machine+le+cube+manual
    • https://5549b5a0-2214-41d8-a3f6-f9a03f57497d.filesusr.com/ugd/c4dbd3_da14f7400ba04cb1900665c86bb1a3e1.pdf?index=true
    • https://41ba2028-66a8-4e88-84fa-115df929a6e1.filesusr.com/ugd/f68081_b3d3521976d34a13ab7cf14d1b7f02bd.pdf?index=true
    • https://3010cf75-d870-495a-a42c-5d8417fc7acd.filesusr.com/ugd/8a4248_0e67667ac22c487d91c9767c6fbc3f6d.pdf?index=true
    • https://cdn.shopify.com/s/files/1/0464/7183/9912/files/accounting_theory_and_practice_notes.pdf
    • https://cdn.shopify.com/s/files/1/0433/2562/0374/files/lezomusoselimumoladazom.pdf
    • https://cdn.shopify.com/s/files/1/0435/1927/9259/files/vogebezileboxibuwe.pdf
    • https://cdn.shopify.com/s/files/1/0432/3095/3630/files/3d_models_obj.pdf
    • https://9f512b8f-4258-4acd-a645-fbb4fcbcee40.filesusr.com/ugd/735189_868c1efd07b949aebe02ed9052409637.pdf?index=true
    • https://01883299-6367-43e4-a251-f67adde60b46.filesusr.com/ugd/1e4819_831d53bfe4754610b1d879d82151ff9c.pdf?index=true
    • https://cdn.shopify.com/s/files/1/0435/1790/3003/files/83292553218.pdf
    • https://cdn.shopify.com/s/files/1/0432/4828/7904/files/takeruderonewubuvelavi.pdf
    • https://cdn.shopify.com/s/files/1/0435/5165/4047/files/49708923830.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000051c1.bin
b9a3320d8f91ce9aae1924a15dfd24b5405101bc59aa605b681b727c85d913c3		 pdf-font-stream PDF embedded font (sfnt) at offset 0x51C1 5084 bytes
font_01_sfnt_off000062d1.bin
e7fb8dda8c04608fa48390a5a12a3e7bcee3c70c8014f21f62eef18f22b12f58		 pdf-font-stream PDF embedded font (sfnt) at offset 0x62D1 10256 bytes
font_02_sfnt_off000085b3.bin
1062cd8ddf90f4344fa193b395386d5669df1a952e5759311ca261a71931f361		 pdf-font-stream PDF embedded font (sfnt) at offset 0x85B3 4324 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.