Malicious PDF — malware analysis report

Static analysis result for SHA-256 2cfdc063782ee3bc…

MALICIOUS

PDF

114.0 KB Created: 2020-08-30 21:12:51 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 96d6834fd349f798458c08de32c93fca SHA-1: 81a58c945c376808263a46eebfc19777f9c3b384 SHA-256: 2cfdc063782ee3bce6535a428ef9deb43cd174b29ffe1b6264916b0efbdace6c
150 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF contains a heuristic firing for a malicious redirector link, pointing to a URL with a sexually explicit keyword. It also contains a large number of embedded links, many of which point to benign Shopify domains, suggesting a link farm or SEO poisoning tactic. The ML classifier strongly flagged this PDF as malicious. The primary malicious IOC is the redirector URL, which is likely used to funnel users to adult content or further malicious sites.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.cc/wix?keyword=attack+on+titan+mikasa+nude
    • https://cdn.shopify.com/s/files/1/0436/5425/0654/files/tarubarorelozabesu.pdf
    • https://cdn.shopify.com/s/files/1/0428/7240/6179/files/76914834932.pdf
    • https://cdn.shopify.com/s/files/1/0430/9647/3749/files/mega_link_generator.pdf
    • https://cdn.shopify.com/s/files/1/0435/5109/6984/files/70316302215.pdf
    • https://cdn.shopify.com/s/files/1/0435/2180/2404/files/sinus.pdf
    • https://cdn.shopify.com/s/files/1/0437/6874/2040/files/63454233274.pdf
    • https://cdn.shopify.com/s/files/1/0436/0667/1517/files/pajapaluf.pdf
    • https://cdn.shopify.com/s/files/1/0431/4244/7261/files/94426277416.pdf
    • https://cdn.shopify.com/s/files/1/0452/2383/7856/files/school_vocabulary_flashcards.pdf
    • https://cdn.shopify.com/s/files/1/0434/6091/9446/files/nuzaz.pdf
    • https://static.usrfiles.com/ugd/c0fca2_5cf9545371c74736bfa71e65a0619c70.pdf
    • https://static.usrfiles.com/ugd/ea78e0_d91af08ab8b94a2f936e6b6c9885781a.pdf
    • https://static.usrfiles.com/ugd/b8c837_b100a3be4a034c869ea71974aaa80930.pdf
    • https://static.usrfiles.com/ugd/e1d12c_7a232e766ac6428bb0f33f8e2d34ed7f.pdf
    • https://static.usrfiles.com/ugd/c63dba_264c4b3e7aec42a7b922d0f1873b8d1f.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00017806.bin
2cfd5530d6cea0fe65dd2bc408886bd3ccca61511a1ec8800a7222913d67d0a6		 pdf-font-stream PDF embedded font (sfnt) at offset 0x17806 3768 bytes
font_01_sfnt_off00018579.bin
8014abd1ae2da7fd87ff66d805a79ba03ab9762440a5b4a03fc936953879f202		 pdf-font-stream PDF embedded font (sfnt) at offset 0x18579 5012 bytes
font_02_sfnt_off0001966a.bin
c93ab179955fe776aa29cb6814cb0505ae849924fcb6eabea06f790dbafba503		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1966A 10440 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.