Malicious PDF — malware analysis report

Static analysis result for SHA-256 4354ebb35ae29b8e…

MALICIOUS

PDF

43.7 KB Created: 2020-08-04 11:35:38 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 96ee4f59861c8aa30239da06b59f8697 SHA-1: 54ac44a71144f7ca1da2cdcbaf4ee21d447f3ff8 SHA-256: 4354ebb35ae29b8e1fe77d0a699cdd6c1a86c47249b686471111653648561db4
150 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF contains a mass external link farm, with many links pointing to benign Shopify domains but one critical link to a known malicious redirector. The document body, though heavily obfuscated, contains the malicious URL. This indicates a lure to redirect the user to malicious infrastructure, likely for further exploitation or credential harvesting.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.cc/pify?keyword=components+of+boiler+system+pdf
    • http://files.headtotoeoldschool.com/uploads/1/3/1/1/131163957/d5410eae4.pdf
    • http://files.uspw.net/uploads/1/3/0/8/130814874/nesuzus.pdf
    • http://files.filmbandits.org/uploads/1/3/1/1/131164402/635f9.pdf
    • http://files.heartstonehavenmassage.com/uploads/1/3/1/6/131606060/penuk.pdf
    • http://files.calmundertension.com/uploads/1/3/1/3/131381722/jovuruke.pdf
    • https://cdn.shopify.com/s/files/1/0432/4573/2007/files/dejikafevilopaxawukonewa.pdf
    • https://cdn.shopify.com/s/files/1/0431/7318/3643/files/xigerenu.pdf
    • https://cdn.shopify.com/s/files/1/0437/7139/6257/files/pobodoj.pdf
    • https://cdn.shopify.com/s/files/1/0430/2831/6313/files/zavatavasabuma.pdf
    • https://cdn.shopify.com/s/files/1/0433/7077/4679/files/30902157240.pdf
    • https://cdn.shopify.com/s/files/1/0446/0825/8211/files/sql_database_management_system.pdf
    • https://cdn.shopify.com/s/files/1/0437/0857/9993/files/3442956654.pdf
    • https://cdn.shopify.com/s/files/1/0432/1158/7752/files/naniw.pdf
    • https://cdn.shopify.com/s/files/1/0434/2516/9565/files/lusukigixikeva.pdf
    • https://cdn.shopify.com/s/files/1/0431/2494/9153/files/jezubifopuzu.pdf
    • https://cdn.shopify.com/s/files/1/0431/9019/0248/files/kogakiwer.pdf
    • https://cdn.shopify.com/s/files/1/0430/1560/2339/files/wugifewi.pdf
    • https://cdn.shopify.com/s/files/1/0432/7079/9510/files/viter.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00006db3.bin
d681b1979fec85ffa1b6b0b0a72da41c458f96ff56324505e5a4bb42ee17dbe9		 pdf-font-stream PDF embedded font (sfnt) at offset 0x6DB3 5124 bytes
font_01_sfnt_off00007f08.bin
a0eadb410a00d2e27274b893cebfbd8eda340a21b9aa73a1f3800161a024ac5c		 pdf-font-stream PDF embedded font (sfnt) at offset 0x7F08 10268 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.