Malicious PDF — malware analysis report

Static analysis result for SHA-256 20c222aec4d3317a…

MALICIOUS

PDF

40.3 KB Created: 2020-09-12 00:38:14 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 01209a53b4569034aeec2a6328dd66c4 SHA-1: c722bf9c9ec3991817026a559fb65119def7d1cd SHA-256: 20c222aec4d3317a2f597dadb29139727a69eb400a504fb8dede1d2e392806fa
150 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF contains multiple embedded links, with one pointing to a known malicious redirector. The document body, though heavily obfuscated, contains the same URL as the malicious redirector, suggesting an attempt to disguise the malicious intent. The presence of numerous links, including a link farm heuristic, indicates a potential phishing or malware distribution campaign.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.club/wix?keyword=bajirao+mastani+hd+movie++mp4
    • https://cdn.shopify.com/s/files/1/0437/2915/8295/files/lohmann_brown_management_guide.pdf
    • https://cdn.shopify.com/s/files/1/0436/3173/9033/files/adoption_form.pdf
    • https://cdn.shopify.com/s/files/1/0438/8428/2008/files/bigowemifo.pdf
    • https://cdn.shopify.com/s/files/1/0430/0118/4417/files/27361259753.pdf
    • https://cdn.shopify.com/s/files/1/0429/8250/6647/files/45098094353.pdf
    • https://static.usrfiles.com/ugd/bfd78a_4cd4d393471c4029834fb1d2b359509e.pdf
    • https://cdn.shopify.com/s/files/1/0428/2882/4742/files/studietrust_bursary_application_form.pdf
    • https://cdn.shopify.com/s/files/1/0429/5317/9289/files/sefas.pdf
    • https://cdn.shopify.com/s/files/1/0430/8225/2442/files/10087165801.pdf
    • https://cdn.shopify.com/s/files/1/0430/6190/3517/files/30513036001.pdf
    • https://cdn.shopify.com/s/files/1/0433/4754/2175/files/voxesevotipewu.pdf
    • https://cdn.shopify.com/s/files/1/0431/1344/7577/files/git_bash_profile.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00004680.bin
93d029e45df9fc6d0bb59c0ae86c6766f8b2fc9723a5b07db96f99219b452cd1		 pdf-font-stream PDF embedded font (sfnt) at offset 0x4680 5440 bytes
font_01_sfnt_off000058e8.bin
b8497d1f2b1a36db7d16d988a53ade50b97b77efce160ce483dafb63b51ea30f		 pdf-font-stream PDF embedded font (sfnt) at offset 0x58E8 10596 bytes
font_02_sfnt_off00007cee.bin
78550e7e1d9a6b780b8bc1db0c73c16a975fd0e7bff47e03ce0c45fda6c61a5a		 pdf-font-stream PDF embedded font (sfnt) at offset 0x7CEE 16808 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.