Malicious PDF — malware analysis report

Static analysis result for SHA-256 2e0ad51c251a4f4d…

MALICIOUS

PDF

47.7 KB Created: 2020-08-30 13:12:07 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 028326078625b1b6b0b041f4e9a68233 SHA-1: 0d7948b3b929a5960d18b01ced21d08906eb0db4 SHA-256: 2e0ad51c251a4f4dcdacae5eeaa13a62e7461b2ab2b8c43e8b59945ca479ca13
150 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF contains a link farm pointing to numerous PDFs hosted on Shopify and static.usrfiles.com, with one primary redirector URL identified as malicious. The ML classifier strongly indicated maliciousness. The document body, though heavily obfuscated, contains the primary malicious URL, suggesting the intent is to redirect the user to potentially malicious content or a phishing site.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.cc/wix?keyword=get+blacksmiths+tools+from+undvik
    • https://cdn.shopify.com/s/files/1/0431/5080/3099/files/amadis_de_gaula_portugues.pdf
    • https://cdn.shopify.com/s/files/1/0428/7240/6179/files/duxotidibiramopugizevafop.pdf
    • https://cdn.shopify.com/s/files/1/0427/6954/7431/files/android_studio_apk_app_not_installed.pdf
    • https://cdn.shopify.com/s/files/1/0430/7720/6178/files/punjabi_couple_wallpaper_full_hd.pdf
    • https://cdn.shopify.com/s/files/1/0430/3519/7602/files/1464470595.pdf
    • https://static.usrfiles.com/ugd/b8c837_3ff12a58e9734f07bc99f9a3f9b7be75.pdf
    • https://static.usrfiles.com/ugd/83b1b3_3c0ea46da483441b8dddaa7c62d490db.pdf
    • https://static.usrfiles.com/ugd/e745be_8db368963c554d5da18d89979bcc9a37.pdf
    • https://static.usrfiles.com/ugd/724bd4_831eb5be552f47909370dca9f79a970a.pdf
    • https://static.usrfiles.com/ugd/9219f8_732e2512f40b4ee9a16fd3b3bd983583.pdf
    • https://static.usrfiles.com/ugd/3826db_dbd4daf31ac843dca58d22aeb79a6263.pdf
    • https://static.usrfiles.com/ugd/b8c837_9f28f964dfbd4c9dbd9f1f6acb0820fe.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00006e29.bin
ed1680dde91dce1c59dd97bd69900eb239b795465c3ac86adcab8040fd873b88		 pdf-font-stream PDF embedded font (sfnt) at offset 0x6E29 5436 bytes
font_01_sfnt_off0000807e.bin
905229a7efa0b6cf8fc91967f35013d653a15f9577ffff48cce11e3d61c62325		 pdf-font-stream PDF embedded font (sfnt) at offset 0x807E 10296 bytes
font_02_sfnt_off0000a399.bin
05d2457133b820fa77aa358e30e9acfbad3f04c46ced9a37296d9311117db176		 pdf-font-stream PDF embedded font (sfnt) at offset 0xA399 4324 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.