Malicious PDF — malware analysis report

Static analysis result for SHA-256 2adee7c5fa37c946…

MALICIOUS

PDF

41.2 KB Created: 2020-09-01 01:49:41 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: ca3c764ac216874d23698a6b3a4d5f87 SHA-1: 2f03a21ffb3f3c35cbf12c753c0e0fe017cae822 SHA-256: 2adee7c5fa37c946a2dc6a4330ebcc11a2fc59901b87d4431664f83321c8be31
152 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF contains a heuristic firing for a malicious redirector link, pointing to a URL that appears to be a lure for 'VPN gate android'. The document body, though heavily obfuscated, contains this same URL. The presence of a link farm heuristic suggests this PDF is part of a larger SEO poisoning campaign. The ML classifier strongly indicates maliciousness. The primary attack vector is likely social engineering via a deceptive document, leading to a malicious site.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 4

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.club/wix?keyword=vpn+gate+android+%25D1%2581%25D0%25BA%25D0%25B0%25D1%2587%25D0%25B0%25D1%2582%25D1%258C
    • https://static.usrfiles.com/ugd/5af86b_a09df805d5234f3a9fed66724b8c389a.pdf
    • https://static.usrfiles.com/ugd/217d68_726da6147a294582aedcf32a502b75d1.pdf
    • https://static.usrfiles.com/ugd/286fb8_f276365c4a1042c99452cf7e42936152.pdf
    • https://static.usrfiles.com/ugd/628a76_20bab4d045aa447a92d65c060d8e5843.pdf
    • https://cdn.shopify.com/s/files/1/0429/7064/4631/files/zadirurapafu.pdf
    • https://cdn.shopify.com/s/files/1/0429/6382/8895/files/gugaveta.pdf
    • https://cdn.shopify.com/s/files/1/0438/1055/4013/files/brother_printer_manual_wifi_setup.pdf
    • https://cdn.shopify.com/s/files/1/0434/0485/3402/files/gre_analytical_writing_topics_pool.pdf
    • https://static.usrfiles.com/ugd/b8c837_4ed6f6ed7cc54df5bfc99d64364d70cb.pdf
    • https://static.usrfiles.com/ugd/5d2cf3_bfd44bfc2eda4263ae3fad7df4c0971b.pdf
    • https://static.usrfiles.com/ugd/b88e3d_d0d0a53ad9654e1e84dd85d2215dda7b.pdf
    • https://static.usrfiles.com/ugd/f46427_af3419fe27a84e799c31514e106c1d9d.pdf
    • https://static.usrfiles.com/ugd/b8c837_79154ded9ffe4a9a9b6b6458aae6e1d3.pdf
    • https://static.usrfiles.com/ugd/b8c837_4432918fc98c4ab2a09f518b78c70d36.pdf
    • https://static.usrfiles.com/ugd/79e0dc_343a1104e72d4fa28d12c8221ea5d8b7.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00004cad.bin
e211f2d6e0d1bf1fd17bd5150bc2724fb7c0f1d37b1c69b855d9dcad8de34ab0		 pdf-font-stream PDF embedded font (sfnt) at offset 0x4CAD 2952 bytes
font_01_sfnt_off0000573b.bin
96bed837262e75bc6b8b41d75db7eb640c4d5ba1feaab4ba5b0a2839def62103		 pdf-font-stream PDF embedded font (sfnt) at offset 0x573B 5512 bytes
font_02_sfnt_off00006990.bin
8b95f4ebf2c01373aedb8e3e7a096d9420dbd1f23ce309a83833a80fd37fe0f3		 pdf-font-stream PDF embedded font (sfnt) at offset 0x6990 13956 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.