Malicious PDF — malware analysis report

Static analysis result for SHA-256 33d0efab4e337d08…

MALICIOUS

PDF

33.0 KB Created: 2020-09-25 03:46:50 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 03cf3c8f03d822299e40c95f2f6aa52a SHA-1: fb6d6b3f4410564e3971b7d3570891723a7bc0bd SHA-256: 33d0efab4e337d08aa55d59788ae94ccd8e4301fa9bfa4fbebb01df788448fa4
150 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF contains numerous embedded links, with one specifically pointing to a known malicious redirector. The document body, though heavily obfuscated, also contains this malicious URL. The presence of a PDF link farm heuristic further suggests a malicious intent to distribute links. The primary attack pattern involves luring the user to click on the malicious URL, which then redirects to further malicious infrastructure.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.ru/wb?keyword=pulsar%20titanium%20chronograph%20100m%20manual
    • http://files.tiffanythetherapist.com/uploads/1/3/0/8/130874246/fufajetemipaduvufuk.pdf
    • http://zibulip.fiestadelespanol.org/uploads/1/3/1/6/131637896/vubibujiporaru.pdf
    • http://tefibuz.kashefvbnpp.com/uploads/1/3/0/7/130775365/vedubinamufew_tareliw_zegowegubibaf.pdf
    • https://cdn.shopify.com/s/files/1/0430/3064/2837/files/911_driving_school_test_4_answers.pdf
    • https://cdn.shopify.com/s/files/1/0439/3756/2779/files/niwetapigosukeledefo.pdf
    • https://cdn.shopify.com/s/files/1/0429/8548/8543/files/31558214457.pdf
    • https://cdn.shopify.com/s/files/1/0435/3762/9348/files/kiwidusotonamonusomaxom.pdf
    • https://cdn.shopify.com/s/files/1/0432/8190/7870/files/fly_agaric_trip_report.pdf
    • https://9adf2060-4f8e-4a63-91ca-2fda287dc106.filesusr.com/ugd/0d002d_ed155a327566414bb5c2c6ee5048f0a0.pdf?index=true
    • https://e99b4b8c-97b4-4efb-b75e-68d68bf4cf70.filesusr.com/ugd/d775a9_9bb377f6b5954c0ca45e779cdd408c59.pdf?index=true
    • https://5001044b-b0de-4220-aeb4-e42658bcbff5.filesusr.com/ugd/4725f1_92f64e88e29c4abc8587654a3a1c7e46.pdf?index=true
    • https://70541caf-9b43-4c8e-ab61-05ea53524ce1.filesusr.com/ugd/cc3ca9_6e7f8610bfe34bcfa16b11453f227e91.pdf?index=true
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000428c.bin
1ffcae1593e651e04922fac4cfd23c8999430e3d84507ce7853acc5ff7fa6682		 pdf-font-stream PDF embedded font (sfnt) at offset 0x428C 5540 bytes
font_01_sfnt_off00005542.bin
8d9af680141c75a348931d5493991903221705f2cefdb554afce7f92f401cd2a		 pdf-font-stream PDF embedded font (sfnt) at offset 0x5542 9940 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.