Malicious PDF — malware analysis report

Static analysis result for SHA-256 370135ebe49512fc…

MALICIOUS

PDF

47.5 KB Created: 2020-08-01 04:19:19 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: ada4426fae7f9e44730d2022493c41c7 SHA-1: 6749f8e1e5290837245d0a1038fbb6813b517304 SHA-256: 370135ebe49512fc3e3315a3e88986ba5e3e2d06918a8ce8c26f27760c1f34aa
150 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF contains a significant number of embedded links, with the primary URL pointing to a known malicious redirector. The heuristic 'PDF_MALICIOUS_REDIRECTOR_LINK' confirms this, and 'PDF_SEO_LINK_FARM' indicates a large number of external links were present. The document body, though heavily obfuscated, contains the malicious URL, suggesting an attempt to disguise the true nature of the content. No scripts were extracted from this sample.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.com/pify?keyword=blink+182+discography
    • http://files.explorestanton.com/uploads/1/3/1/4/131453216/6741733.pdf
    • http://files.bsidegameswebshop.com/uploads/1/3/1/4/131437561/28041d3f3.pdf
    • http://files.instinct-ready.com/uploads/1/3/1/6/131636954/3c6300e.pdf
    • https://cdn.shopify.com/s/files/1/0427/8996/1884/files/35840901693.pdf
    • https://cdn.shopify.com/s/files/1/0433/8440/6181/files/79739865425.pdf
    • https://cdn.shopify.com/s/files/1/0434/5122/0120/files/josazexanuvitusubera.pdf
    • https://cdn.shopify.com/s/files/1/0431/7652/5984/files/34079307609.pdf
    • https://cdn.shopify.com/s/files/1/0429/1005/6615/files/18840593013.pdf
    • https://cdn.shopify.com/s/files/1/0428/5346/6271/files/kupadamuwerunozona.pdf
    • https://cdn.shopify.com/s/files/1/0431/7039/8372/files/radiregapavojejowikilok.pdf
    • https://cdn.shopify.com/s/files/1/0432/0142/9662/files/wutomelerijadirifotavi.pdf
    • https://cdn.shopify.com/s/files/1/0432/2813/5591/files/cuisinart_brew_central_dcc-_1200.pdf
    • https://cdn.shopify.com/s/files/1/0430/3929/3589/files/49585459290.pdf
    • https://cdn.shopify.com/s/files/1/0436/1509/2893/files/zopaniwumozogeletevikava.pdf
    • https://cdn.shopify.com/s/files/1/0433/0805/6740/files/mudutimuko.pdf
    • https://cdn.shopify.com/s/files/1/0435/1832/8991/files/49676867550.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000724a.bin
ecd7bb4082f4168c5a14a304d36769715075567434d0606a8fd7316f92e74a28		 pdf-font-stream PDF embedded font (sfnt) at offset 0x724A 5928 bytes
font_01_sfnt_off00008683.bin
2dcfcb97f2a49333632aa94316c522785602671389749b091a2799c6b28667e1		 pdf-font-stream PDF embedded font (sfnt) at offset 0x8683 13824 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.