Malicious PDF — malware analysis report

Static analysis result for SHA-256 3e7793f776061bae…

MALICIOUS

PDF

46.5 KB Created: 2020-09-19 11:04:31 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: b0445ca62593d1cdf467c5aca99a4819 SHA-1: 543b476994b54b98c1dece01fbb29671527283f3 SHA-256: 3e7793f776061baee32a461017ae0cce81bd6259ae1c5914deda11ca151de0fa
150 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF file contains multiple embedded URLs, with a critical heuristic firing for a malicious redirector link. The document body, though heavily obfuscated, contains a URL that matches the redirector. This suggests the primary intent is to lure the user to a malicious site, likely for phishing or malware delivery. No scripts were extracted, limiting the analysis of further stages.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.me/wix?keyword=defiant+indoor+in+wall+digital+timer+model+32648+manual
    • http://reraf.lizziehobbs.co.uk/uploads/1/3/1/8/131856772/3085448.pdf
    • http://files.chalkstix.org/uploads/1/3/1/4/131437563/42fd02d2ad4027e.pdf
    • http://files.dalicemarsh.com/uploads/1/3/0/7/130775825/8d2a75bbe57a8cc.pdf
    • http://files.grapevineoasis.com/uploads/1/3/1/8/131871518/f76f99d2a.pdf
    • http://files.uk.lollandfalsterairport.dk/uploads/1/3/2/6/132681992/8661009.pdf
    • https://7d3b6c26-cf79-4e71-aee1-6294a126f6e6.filesusr.com/ugd/843280_5414d18ec956409bb305d04f0456f785.pdf?index=true
    • https://4e633630-8af0-41c0-850a-bd7d7463c477.filesusr.com/ugd/6c313a_ede390e0d3ed4241ac71d394f7698313.pdf?index=true
    • https://8619e0b8-988c-479c-9d19-6743eeed037a.filesusr.com/ugd/b96e41_c185798fc2d54122b4244d47bf3e72cf.pdf?index=true
    • https://73e5d123-9f28-42d4-88ab-4d1b8ab60795.filesusr.com/ugd/694d5d_5e268e9d488943eb843cbe381f4b2f1f.pdf?index=true
    • https://7316c061-4dfc-45cc-9091-11cb711d0341.filesusr.com/ugd/668a47_898ca8002b6842f7830dbfcdd5a090ac.pdf?index=true
    • https://32c57ed4-708a-4027-b88d-977f638a4fb2.filesusr.com/ugd/469aea_22d63a5784a34a24b3677bf2305b5dd2.pdf?index=true
    • https://067b5a80-b0dc-49ef-9cfd-f7fa2547557c.filesusr.com/ugd/e948c1_a602e33c8ccf49c6a35c94f0b0f0bbbe.pdf?index=true
    • https://00255a61-8ca1-4e49-ab94-53f3e60b02f4.filesusr.com/ugd/067ecb_ee51d9d0e8b8405b943fc8dfcf803331.pdf?index=true
    • https://fa6cb9fc-8726-4f15-9772-41bd9802fd0e.filesusr.com/ugd/3f8d85_1a49cea7ec43478591080da93655d3b6.pdf?index=true
    • https://ff77e12d-57b8-411f-ba2f-37ed4c3ab5c9.filesusr.com/ugd/66f3f9_fea6e59680ad4b6ca78f3812e23aec03.pdf?index=true
    • https://3f4ab72c-e268-4c48-afb4-894d6b0d40a1.filesusr.com/ugd/008a9f_a1de691836a5413d89a0b3a645c322c7.pdf?index=true
    • https://609499c7-6585-4ddf-8c9b-9e56f89ed3db.filesusr.com/ugd/0ad6c7_251dfa9a0f6b4807aadea8e3504e002b.pdf?index=true
    • https://e72d6b8e-6066-4680-800b-842f960b8c3f.filesusr.com/ugd/9219f8_74262211ae9e410980a8931281997f3d.pdf?index=true
    • https://56458cc9-41cc-4e4f-9215-cb7516000908.filesusr.com/ugd/64db51_fc8543ae6bb442c0b3c0a983023b0d53.pdf?index=true
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000756c.bin
0abd91c7966ce53eaa575868a4496fbb288b738ec7eac09f3504491bb09472d1		 pdf-font-stream PDF embedded font (sfnt) at offset 0x756C 5872 bytes
font_01_sfnt_off00008975.bin
9d65992feedb85bef759149c0b6779a01dea4e0b367c27de450799fb22950389		 pdf-font-stream PDF embedded font (sfnt) at offset 0x8975 10180 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.