Malicious PDF — malware analysis report

Static analysis result for SHA-256 47350f2b9b2b80d8…

MALICIOUS

PDF

40.7 KB Created: 2020-09-17 05:10:47 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: a3591ce36e49078e506c63798e5ef191 SHA-1: 7e304de71a44013bb0055ac78bb6c1667b8701f3 SHA-256: 47350f2b9b2b80d8455691865836605c2efbe3bb171805100de470fcf0334821
150 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF contains a large number of embedded links, with one specifically pointing to a known malicious redirector. This suggests the document is part of a link farm or SEO poisoning campaign designed to lure users to malicious content. The ML classifier also strongly indicated maliciousness.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.me/wix?keyword=tufano%2527s+vernon+park+tap+hours
    • https://cdn.shopify.com/s/files/1/0433/0664/7717/files/70256753340.pdf
    • https://cdn.shopify.com/s/files/1/0428/6418/1404/files/fevalofawarelut.pdf
    • https://cdn.shopify.com/s/files/1/0430/9935/7338/files/ankylose_definition.pdf
    • https://cdn.shopify.com/s/files/1/0433/0687/7080/files/pekuxiwitijumowiviw.pdf
    • https://cdn.shopify.com/s/files/1/0437/8466/7287/files/84824029422.pdf
    • https://944d5376-9d1c-4326-97e6-c1a4263d43a4.filesusr.com/ugd/6cabbb_5297a7c9ba40455f907495804ada9942.pdf?index=true
    • https://92058384-b851-471b-8145-8ec1cff1fd52.filesusr.com/ugd/d1fcfc_e17b88c220ee43c3bf57119b4993f6ca.pdf?index=true
    • https://b7863069-5d9b-407b-a330-7434a88bb69c.filesusr.com/ugd/3eed2b_e1de709dd9be4308902d8d270db8b21f.pdf?index=true
    • https://01273c93-376f-4494-84c2-f89e402629c0.filesusr.com/ugd/895bef_7f0bdd52652d484a84bac442d3c839ec.pdf?index=true
    • https://66307da1-6339-4119-be2a-f263320287a9.filesusr.com/ugd/64bd79_8c9e5a7d00444cdfbb1e738e01b87faf.pdf?index=true
    • https://cdn.shopify.com/s/files/1/0429/6137/1290/files/lejejulepawezikitora.pdf
    • https://cdn.shopify.com/s/files/1/0433/1077/6473/files/78884019360.pdf
    • https://cdn.shopify.com/s/files/1/0428/8951/1068/files/lofifu.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000544a.bin
87e4bd32fe17bca1aea09856a8535f4fb4aa54ffe1c6eac43e6a89fed767507e		 pdf-font-stream PDF embedded font (sfnt) at offset 0x544A 4896 bytes
font_01_sfnt_off000064f5.bin
e15e5f28eab71c885a96bf3d051341603c10ce181a66cfc0c7385ceea20c704d		 pdf-font-stream PDF embedded font (sfnt) at offset 0x64F5 10188 bytes
font_02_sfnt_off000087d5.bin
b50a2106bf82917db0cd3cf88f63c5e8cc3298b343ace5cffc591b35df33d24c		 pdf-font-stream PDF embedded font (sfnt) at offset 0x87D5 4324 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.