Malicious PDF — malware analysis report

Static analysis result for SHA-256 33033fbdf9f8efeb…

MALICIOUS

PDF

69.0 KB Created: 2020-08-31 23:33:22 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 01266e9d0fdc2aec1e2f265f7ab5b473 SHA-1: 0f777dd081178c8c32f14df3e4971ef66af0a8c6 SHA-256: 33033fbdf9f8efeb8489783a525fe0228933cffd4a3c3c8aba4cccd3d7abfc65
150 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF contains a link that redirects to a known malicious domain, as indicated by the PDF_MALICIOUS_REDIRECTOR_LINK heuristic. The document body, though heavily obfuscated, contains the text 'Accp guidelines for dvt' and the malicious URL, suggesting a lure to trick the user into clicking the link. The ML_NYX_PDF_MALICIOUS heuristic further supports the malicious nature of the file.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.com/pify?keyword=accp+guidelines+for+dvt
    • https://cdn.shopify.com/s/files/1/0432/8993/6025/files/19114478778.pdf
    • https://cdn.shopify.com/s/files/1/0440/4723/7285/files/gudepoliragurokina.pdf
    • https://cdn.shopify.com/s/files/1/0433/1870/6331/files/61451301139.pdf
    • https://cdn.shopify.com/s/files/1/0431/7986/8309/files/lepajaturizukewobufunugix.pdf
    • https://static.usrfiles.com/ugd/078c79_32ec49a826994de6a0e2473593172631.pdf
    • https://static.usrfiles.com/ugd/ce0e6d_bd91102287da406abcc1bbc3175a0fa7.pdf
    • https://static.usrfiles.com/ugd/73c254_61d2fef562734de0955d823cac463a98.pdf
    • https://static.usrfiles.com/ugd/0779a3_8a51c13f1ff64c55abb210aa18dcbba7.pdf
    • https://static.usrfiles.com/ugd/b8c837_c67ac548abd5477f94ec77f1fc2067fa.pdf
    • https://cdn.shopify.com/s/files/1/0462/2788/2135/files/difference_between_manual_and_automation_testing_guru99.pdf
    • https://cdn.shopify.com/s/files/1/0433/1739/5614/files/5863314231.pdf
    • https://cdn.shopify.com/s/files/1/0437/2781/4810/files/odia_ganesh_bhajan_dj_song.pdf
    • https://cdn.shopify.com/s/files/1/0434/9224/5656/files/40480769158.pdf
    • https://cdn.shopify.com/s/files/1/0457/6336/2980/files/79285127991.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000cddd.bin
311cd2ceeb509cdfed28b7d23280bf579f1ac7bb00498f500af0c650d93077fa		 pdf-font-stream PDF embedded font (sfnt) at offset 0xCDDD 5160 bytes
font_01_sfnt_off0000df8f.bin
2896c090e3070142fdf3dd3c8d2e30ff55e03b6ea57927e12a16a47ead74c3d8		 pdf-font-stream PDF embedded font (sfnt) at offset 0xDF8F 12112 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.