Malicious PDF — malware analysis report

Static analysis result for SHA-256 2e72c036146dbae5…

MALICIOUS

PDF

45.2 KB Created: 2020-08-13 21:53:44 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: a2517dab9a3f1ecb0766c490c2446365 SHA-1: 5364feba2cd9f5453d0918227014d85c60d0f163 SHA-256: 2e72c036146dbae521c78bc8160315ece1fb39937a9ce15ae348df7cf83e6359
150 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF file contains a heuristic firing for a malicious redirector link, which points to a URL designed to lure users with a keyword related to Android development. The document body, though heavily obfuscated, also contains this URL. The presence of a large number of external PDF links, many hosted on Shopify, suggests a link farm or SEO poisoning tactic. The ML classifier also flagged this PDF as malicious with high confidence.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.cc/pify?keyword=android+studio+pull+project+from+github
    • http://files.schoolpatio.com/uploads/1/3/1/8/131871778/8707338.pdf
    • http://files.mishidance.com/uploads/1/3/0/8/130874241/2099973.pdf
    • http://gakopije.maeganprovan.com/uploads/1/3/1/8/131871650/relazefevirawekoted.pdf
    • http://files.equineecogreenus.com/uploads/1/3/1/8/131856860/4888660.pdf
    • http://files.damesdynastyleauge.com/uploads/1/3/0/7/130739234/lubururosugo-riwudi-zulebuves-pudilorewote.pdf
    • https://cdn.shopify.com/s/files/1/0428/6903/1078/files/49302376064.pdf
    • https://cdn.shopify.com/s/files/1/0434/2130/2935/files/principles_of_participatory_action_research.pdf
    • https://cdn.shopify.com/s/files/1/0436/0998/1085/files/binilumid.pdf
    • https://cdn.shopify.com/s/files/1/0435/3196/0474/files/gopeso.pdf
    • https://cdn.shopify.com/s/files/1/0432/8115/4204/files/mirijomu.pdf
    • https://cdn.shopify.com/s/files/1/0429/1851/0745/files/15598178794.pdf
    • https://cdn.shopify.com/s/files/1/0430/4742/0066/files/sapuko.pdf
    • https://cdn.shopify.com/s/files/1/0431/6564/7012/files/poraziwopilusatilate.pdf
    • https://cdn.shopify.com/s/files/1/0432/8466/0380/files/african_society_and_culture.pdf
    • https://cdn.shopify.com/s/files/1/0431/2816/0417/files/luxafuwavubajutakulelin.pdf
    • https://cdn.shopify.com/s/files/1/0428/1411/1903/files/37514191659.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00006fea.bin
e21281a8a7d7a39263b9bfcf71d0a0dc6f47f86c794918b1ccdaf63c0b609bc5		 pdf-font-stream PDF embedded font (sfnt) at offset 0x6FEA 5564 bytes
font_01_sfnt_off000082ae.bin
05776918b420195a76b025480d2d1865f8c2baa96a8c59180d8b0b0b169de08e		 pdf-font-stream PDF embedded font (sfnt) at offset 0x82AE 10332 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.