Malicious PDF — malware analysis report

Static analysis result for SHA-256 28bc37428310490b…

MALICIOUS

PDF

45.7 KB Created: 2020-08-04 15:24:47 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: bb665a9334323790441cbead6ec03988 SHA-1: 76eba29baf8099a925c7d88579732f970c9866df SHA-256: 28bc37428310490b9c0e78cb715a0db4183e8d6d8ba7f965ba51a828f3f5a423
150 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell T1204.002 Malicious Link

The PDF contains a malicious redirector link disguised as a document about 'Rudram namakam chamakam in tamil pdf'. The heuristic PDF_MALICIOUS_REDIRECTOR_LINK confirms the link leads to known malicious infrastructure. Additionally, the PDF_SEO_LINK_FARM heuristic indicates a large number of external links, many pointing to shopify.com, suggesting an attempt to manipulate search engine results or lure users through deceptive content. No scripts were extracted, but the primary attack vector appears to be directing users to malicious URLs.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.com/wb?keyword=rudram%20namakam%20chamakam%20in%20tamil%20pdf
    • http://files.ethelseducationalexpress.com/uploads/1/3/2/7/132741352/bosovevivisexovutali.pdf
    • http://files.mtnviewladylax.com/uploads/1/3/0/8/130815277/gajowa-zedirejoxusi-luwilifemedadu-zujimo.pdf
    • http://files.helenakocis.com/uploads/1/3/1/8/131857756/b4a489d8c5.pdf
    • http://files.fitnessforster.com/uploads/1/3/1/4/131437161/2982013.pdf
    • https://cdn.shopify.com/s/files/1/0428/2748/1255/files/65854737767.pdf
    • https://cdn.shopify.com/s/files/1/0434/9113/1557/files/54907461372.pdf
    • https://cdn.shopify.com/s/files/1/0436/2846/2233/files/what_is_a_thematic_statement.pdf
    • https://cdn.shopify.com/s/files/1/0430/6518/0321/files/90757401133.pdf
    • https://cdn.shopify.com/s/files/1/0429/3391/1705/files/60891863839.pdf
    • https://cdn.shopify.com/s/files/1/0428/5094/3135/files/lenunovakebinosogu.pdf
    • https://cdn.shopify.com/s/files/1/0431/8982/9800/files/6166970292.pdf
    • https://cdn.shopify.com/s/files/1/0438/1055/4016/files/75265828065.pdf
    • https://cdn.shopify.com/s/files/1/0432/1257/0783/files/tetidibapitebo.pdf
    • https://cdn.shopify.com/s/files/1/0432/9809/5272/files/duwumok.pdf
    • https://cdn.shopify.com/s/files/1/0436/6529/3462/files/24262638281.pdf
    • https://cdn.shopify.com/s/files/1/0430/7140/6237/files/75089612302.pdf
    • https://cdn.shopify.com/s/files/1/0431/3094/5693/files/18310141806.pdf
    • https://cdn.shopify.com/s/files/1/0432/6467/1909/files/rijixo.pdf
    • https://cdn.shopify.com/s/files/1/0432/4560/0931/files/galakabamalubaniroga.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000683f.bin
8c90f0a8f2a241c95b39b0bd32d1fa37822a320b9ea0e3c49f0ca7a3f59bf313		 pdf-font-stream PDF embedded font (sfnt) at offset 0x683F 4940 bytes
font_01_sfnt_off000078ce.bin
d99e5afd7e89824aba54b47d7ba06812004cffcbfab42c6ba34b1b23aedda652		 pdf-font-stream PDF embedded font (sfnt) at offset 0x78CE 10076 bytes
font_02_sfnt_off00009b3e.bin
ce7e2e230a41ba6fc2d7d2240890c8289d67876d84a3d076d67c0b48111c8230		 pdf-font-stream PDF embedded font (sfnt) at offset 0x9B3E 4324 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.