Malicious PDF — malware analysis report

Static analysis result for SHA-256 29810d34bb1548ec…

MALICIOUS

PDF

46.4 KB Created: 2020-08-31 14:01:16 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: c2cd57951659887e3bf1f9c00e6987f7 SHA-1: 82a0a4330239d6ea74f33dab9f17967c57648575 SHA-256: 29810d34bb1548ecf59651a04b970676e46fc8eb6802ba8fb226e42ccd3e0045
150 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF contains a link farm pointing to numerous external PDFs, with one primary link to a known malicious redirector. The document body itself appears to be obfuscated or corrupted, but the presence of the malicious redirector URL strongly suggests a phishing or malware distribution attempt. The ML classifier also flagged this PDF with high confidence.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.ru/wix?keyword=pashan%2528+2019+bangla+full+movie
    • https://static.usrfiles.com/ugd/de60da_7b717bcfbec94b1e8c22ee3f9bbb4bf3.pdf
    • https://static.usrfiles.com/ugd/a18aa6_a50f90fe039e41e0bc95271f0e9b6b63.pdf
    • https://static.usrfiles.com/ugd/d3758e_6775d5fba7f74c3cb7dbe1271277adae.pdf
    • https://static.usrfiles.com/ugd/67f5f7_310bf672b4054249b6705932a7b47dc5.pdf
    • https://static.usrfiles.com/ugd/41f880_3dfbd8ebf1324f5f965661225e29df86.pdf
    • https://static.usrfiles.com/ugd/b8c837_7018903051f044beb3f1af54db9e7b8c.pdf
    • https://static.usrfiles.com/ugd/c83fdb_e982af5a8abd49eea121e2e2bc7478fa.pdf
    • https://static.usrfiles.com/ugd/2e4eb4_6edc75832fdf4862a15377c2d2883489.pdf
    • https://static.usrfiles.com/ugd/b8c837_faaf3c9e0281428e8953186c81dee55c.pdf
    • https://static.usrfiles.com/ugd/b8c837_945b6f7220ff415db9fb288c663fedef.pdf
    • https://cdn.shopify.com/s/files/1/0428/7715/7542/files/xigonufivubojenukup.pdf
    • https://cdn.shopify.com/s/files/1/0432/7384/6952/files/68039943865.pdf
    • https://cdn.shopify.com/s/files/1/0430/3264/1689/files/revamelajipanupafilivujif.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 4

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000474e.bin
3d7f8e154680453bc55d4d0248fc5758d1d799ac29f2414229351be47dbfb22d		 pdf-font-stream PDF embedded font (sfnt) at offset 0x474E 5848 bytes
font_01_sfnt_off00005b22.bin
23e08c0a59f7d0ef89d08505f18c504b488b6fa2c4aea9c6004c8c6078eea756		 pdf-font-stream PDF embedded font (sfnt) at offset 0x5B22 8000 bytes
font_02_sfnt_off00007482.bin
c6fa4f23c21af08b47f2b183c2742cccc898d0e4be3a0fb7d3a186f6bbf1ff53		 pdf-font-stream PDF embedded font (sfnt) at offset 0x7482 8316 bytes
font_03_sfnt_off00008b43.bin
94ee7d65930f650f64ffaa863d2fe4722e011f96f03cd12507fba9ed85bfc49d		 pdf-font-stream PDF embedded font (sfnt) at offset 0x8B43 9668 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.