Malicious PDF — malware analysis report

Static analysis result for SHA-256 3f495f5d09e00326…

MALICIOUS

PDF

49.8 KB Created: 2020-09-10 22:10:59 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 00b1bb43d93e34e106c6497b237a6140 SHA-1: c2a7074d8d223aae2b80559b82eb0562e1dbbe6e SHA-256: 3f495f5d09e003269137c92de45a041f67c164f5b69b9db3ded22c3a7d6e985d
150 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF file contains a large number of embedded links, many of which point to PDF files hosted on Shopify. One of these links, however, directs to a known malicious redirector. This suggests the document is part of a link farm designed to obscure malicious destinations. The ML classifier also strongly flagged this PDF as malicious.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.cc/wb?keyword=leica%20m3%20single%20stroke%20manual
    • http://zoxoxip.choiceokoro.com/uploads/1/3/0/7/130739629/bubolexevepuf.pdf
    • http://radodula.ethiopremier.com/uploads/1/3/1/3/131381428/babuwigupoker.pdf
    • https://cdn.shopify.com/s/files/1/0429/2195/1391/files/jikaw.pdf
    • https://cdn.shopify.com/s/files/1/0433/6749/7884/files/78921297250.pdf
    • https://cdn.shopify.com/s/files/1/0438/8651/0232/files/25684177516.pdf
    • https://cdn.shopify.com/s/files/1/0459/9054/3519/files/best_free_android_games_may_2019.pdf
    • https://cdn.shopify.com/s/files/1/0463/3372/2785/files/alexandro_querevalu_blue_sky.pdf
    • https://static.usrfiles.com/ugd/843280_29206c9776b047db8b289954492baecd.pdf
    • https://static.usrfiles.com/ugd/b91566_f487c3d6ebc74ecc8ebb06be449fc441.pdf
    • https://static.usrfiles.com/ugd/d79848_82f1de1d4ad84f3d858bf79d58ee2f2f.pdf
    • https://cdn.shopify.com/s/files/1/0461/5054/9667/files/nice_guidelines_copd_pathway.pdf
    • https://cdn.shopify.com/s/files/1/0431/5525/9560/files/58026070287.pdf
    • https://cdn.shopify.com/s/files/1/0434/3395/1399/files/vedilofaluzisoduguf.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00007117.bin
087f97d8efa0af7f9958ae02f776fdad45230b5986a78f298e3c1dbc7a31d242		 pdf-font-stream PDF embedded font (sfnt) at offset 0x7117 6148 bytes
font_01_sfnt_off00008639.bin
d3e6cfb23adb0ffb04b67c42124b2fabf543a174cc194ae425d0f6d559ac47cd		 pdf-font-stream PDF embedded font (sfnt) at offset 0x8639 5288 bytes
font_02_sfnt_off00009824.bin
ceb7024820944f3f8b917e92eb37e72ef20d2759f2870b4e676b8f075cee7324		 pdf-font-stream PDF embedded font (sfnt) at offset 0x9824 10020 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.