Malicious PDF — malware analysis report

Static analysis result for SHA-256 3b45998c6468a422…

MALICIOUS

PDF

47.0 KB Created: 2020-08-04 13:58:48 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: ae147b19e2c98547ed343236cdc8fb2f SHA-1: 505c9509480c20e9cf6cf92da7a24f8171cb6960 SHA-256: 3b45998c6468a422bf5cbc0287e3cc7b3a173b106b4768ae7998b61846c47086
150 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF contains embedded links, one of which points to a known malicious redirector. The document body, though heavily obfuscated, contains text related to 'Pandora's box 5s game list pdf' and the malicious URL. This suggests a phishing or scam attempt where the user is enticed to click the link, which then redirects to malicious infrastructure. No scripts were extracted, limiting the analysis of further payload delivery.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.com/pify?keyword=pandora+s+box+5s+game+list+pdf
    • http://files.birdandbloomevents.com/uploads/1/3/1/8/131856358/zanuwakomamapepasar.pdf
    • http://files.forebridge.com/uploads/1/3/1/4/131438362/lamewojepadalu_pibujufib_tamulupat.pdf
    • http://zubesono.deepcreektrading.com/uploads/1/3/1/4/131453555/6763662.pdf
    • http://files.rhearuben.com/uploads/1/3/1/0/131070166/3771581.pdf
    • https://cdn.shopify.com/s/files/1/0430/0210/1923/files/tubevabu.pdf
    • https://cdn.shopify.com/s/files/1/0431/1459/4464/files/89229339300.pdf
    • https://cdn.shopify.com/s/files/1/0433/0687/7080/files/duzawubemamomavokam.pdf
    • https://cdn.shopify.com/s/files/1/0429/6520/5141/files/webajururorixewawo.pdf
    • https://cdn.shopify.com/s/files/1/0428/8135/1839/files/88129799729.pdf
    • https://cdn.shopify.com/s/files/1/0429/7077/5706/files/vakopujewovojeduxudi.pdf
    • https://cdn.shopify.com/s/files/1/0435/5004/8420/files/lirokusutodowijeguzil.pdf
    • https://cdn.shopify.com/s/files/1/0437/6713/6413/files/51962839150.pdf
    • https://cdn.shopify.com/s/files/1/0427/8714/3839/files/65363238408.pdf
    • https://cdn.shopify.com/s/files/1/0440/1243/7662/files/96165679542.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00006ffb.bin
5be7ea15c0d110381df6f1955167837ce1ff10521e50e9b956386717bdfe1cf1		 pdf-font-stream PDF embedded font (sfnt) at offset 0x6FFB 5696 bytes
font_01_sfnt_off0000834a.bin
4e52c146b734461ffc6ea68f770d9b9a4ccb9b4c03bfd782ff32669a8d25880a		 pdf-font-stream PDF embedded font (sfnt) at offset 0x834A 13336 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.