Malicious PDF — malware analysis report

Static analysis result for SHA-256 40f7872c37bda9ca…

MALICIOUS

PDF

47.4 KB Created: 2020-08-17 15:27:58 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: eb797f3c4e4ee7b4587d57180377c6d5 SHA-1: 2e9cc7a07c8fa98f3f49a4a9b844465e4dce987e SHA-256: 40f7872c37bda9caad28b88503e6e1414aa80ed20d74acbdbbfeb1699461784d
154 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF contains a link that redirects to a malicious URL, identified by the PDF_MALICIOUS_REDIRECTOR_LINK heuristic. The document body, though heavily obfuscated, contains the target URL and appears to be a lure for a 'Planet Earth 2 Deserts Worksheet'. The PDF_SEO_LINK_FARM heuristic indicates a large number of external links, suggesting a link farm for SEO manipulation or to distribute malicious content. The ML_NYX_PDF_MALICIOUS heuristic strongly supports the malicious classification.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 4

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.cc/pify?keyword=planet+earth+2+deserts+worksheet
    • http://files.sheri-johnson.com/uploads/1/3/0/7/130775228/2604055.pdf
    • http://files.mixbymattsim.com/uploads/1/3/1/6/131607131/felakiwutole-pebeke.pdf
    • http://files.mrstuckeysclass.com/uploads/1/3/0/7/130776841/4143467.pdf
    • http://files.dgdesignsjewelryandsupply.com/uploads/1/3/0/9/130969545/bagofi_sirolu_wobaliwovuw.pdf
    • http://files.blueprintorphan.com/uploads/1/3/2/6/132681690/6435653.pdf
    • https://cdn.shopify.com/s/files/1/0429/7133/2767/files/zibebam.pdf
    • https://cdn.shopify.com/s/files/1/0431/1869/0458/files/insanity_flyff_job_guide.pdf
    • https://cdn.shopify.com/s/files/1/0439/7488/5534/files/goloz.pdf
    • https://cdn.shopify.com/s/files/1/0430/0773/8019/files/popebodetazuwonad.pdf
    • https://cdn.shopify.com/s/files/1/0430/3034/7938/files/6530540637.pdf
    • https://cdn.shopify.com/s/files/1/0430/7304/4634/files/capacitor_and_capacitance.pdf
    • https://cdn.shopify.com/s/files/1/0439/0843/2027/files/website_to_online_converter.pdf
    • https://cdn.shopify.com/s/files/1/0429/2716/1507/files/21105167786.pdf
    • https://cdn.shopify.com/s/files/1/0433/6146/8574/files/calendario_escolar_2020_angola.pdf
    • https://cdn.shopify.com/s/files/1/0433/7005/3784/files/37925627046.pdf
    • https://cdn.shopify.com/s/files/1/0434/1481/4882/files/24283438664.pdf
    • https://cdn.shopify.com/s/files/1/0439/2599/5688/files/gemuxij.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000650e.bin
c31b0b0033802b972b658878c10f66d877f73e3f7a6a75d641645a50a8023208		 pdf-font-stream PDF embedded font (sfnt) at offset 0x650E 5200 bytes
font_01_sfnt_off000076c7.bin
702d214765c46caf98c347a10649f1344480106b8d4464d0731f1753ae142134		 pdf-font-stream PDF embedded font (sfnt) at offset 0x76C7 10700 bytes
font_02_sfnt_off00009b8f.bin
e9fe716c2abc985b12a899a49d5539e4e8be1b56d50c083b30290d85a2a7c848		 pdf-font-stream PDF embedded font (sfnt) at offset 0x9B8F 16092 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.