Malicious PDF — malware analysis report

Static analysis result for SHA-256 41ec1c37b92a1d0a…

MALICIOUS

PDF

50.5 KB Created: 2020-09-18 05:43:54 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 01fe3271d2d01423991d29a5c8a81a55 SHA-1: 931118da663b84b98a621b78c6d7abff9cfaea94 SHA-256: 41ec1c37b92a1d0a12ba5bfc9029a8fb4d4a04b676f52178f08475be4b4d81ac
150 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF contains numerous embedded links, with a critical heuristic firing for a malicious redirector. The document body, though heavily obfuscated, contains a URL that matches the malicious redirector found by heuristics. This suggests the primary goal is to redirect the user to a malicious site, likely for further exploitation or credential harvesting.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.me/wix?keyword=uss+enterprise+owners+workshop+manual+pdf
    • http://nipegigu.trainingoutlaws.com/uploads/1/3/2/6/132681144/lozirok-bavumeraduveta-jomewodudokikup-gagetejafu.pdf
    • http://files.thyperfectpomsky.com/uploads/1/3/1/8/131856498/ca3d2703b14b3a.pdf
    • http://fesolu.nwgrind.com/uploads/1/3/0/7/130775219/dada51bfb0500e.pdf
    • http://ravun.sciencewithheart.org/uploads/1/3/1/3/131380969/leledej.pdf
    • https://cdn.shopify.com/s/files/1/0437/9102/4277/files/mrsa_bacteremia_idsa_guidelines.pdf
    • https://cdn.shopify.com/s/files/1/0428/3400/2086/files/gta_v_for_android_apk__data.pdf
    • https://cdn.shopify.com/s/files/1/0434/7301/0850/files/spanish_american_war_political_cartoons.pdf
    • https://cdn.shopify.com/s/files/1/0486/1761/9621/files/pegeselimuli.pdf
    • https://cdn.shopify.com/s/files/1/0433/5301/4423/files/vetutefo.pdf
    • https://cdn.shopify.com/s/files/1/0440/5778/8568/files/lyapunov_stability_theorem.pdf
    • https://cdn.shopify.com/s/files/1/0428/9835/8432/files/rejupabofutub.pdf
    • https://cdn.shopify.com/s/files/1/0440/3894/6981/files/casual_vs_formal_dress_code.pdf
    • https://cdn.shopify.com/s/files/1/0436/0346/0259/files/33661553479.pdf
    • https://cdn.shopify.com/s/files/1/0430/7746/8311/files/30147651016.pdf
    • https://cdn.shopify.com/s/files/1/0431/7030/0065/files/james_bay_scars.pdf
    • https://cdn.shopify.com/s/files/1/0439/2579/9067/files/vixibivokupoxaze.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00007e2c.bin
28083e0f9c44e6a7db3a897265bb455798191ad40923a4e281a6e28de7bde5d3		 pdf-font-stream PDF embedded font (sfnt) at offset 0x7E2C 5428 bytes
font_01_sfnt_off0000908c.bin
ef7122426fb34438890cac5296de1ff47bbb4fa3a2aacf44f06ce4100c333a57		 pdf-font-stream PDF embedded font (sfnt) at offset 0x908C 13748 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.