Malicious PDF — malware analysis report

Static analysis result for SHA-256 4db21c4702958ce2…

MALICIOUS

PDF

44.4 KB Created: 2020-09-06 16:48:06 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 00710a2e0ba2531eb5e106e62434d97f SHA-1: e8901729fc1e8dbefb54b2dd7fff6eca6646b498 SHA-256: 4db21c4702958ce27f177948bad9848b935a4fc72e9acfcbcc543a545df171ed
150 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF contains a critical heuristic firing for a malicious redirector link, which points to a URL designed to lure users with a printer datasheet keyword. The document body, though heavily obfuscated, contains this same URL. The PDF also exhibits characteristics of a link farm, with numerous embedded links to external PDFs, suggesting a broader campaign to distribute malicious content. The primary malicious URL is the highest priority IOC.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.club/wix?keyword=hp+laserjet+pro+400+mfp+m425dw+datasheet
    • https://cdn.shopify.com/s/files/1/0434/2641/4748/files/jufabivefiri.pdf
    • https://cdn.shopify.com/s/files/1/0431/1672/4386/files/pabomifasuvogomu.pdf
    • https://cdn.shopify.com/s/files/1/0432/5077/8275/files/bible_message_for_youth_in_tamil.pdf
    • https://cdn.shopify.com/s/files/1/0431/6420/5216/files/cha_cha_slide_dance_song.pdf
    • https://cdn.shopify.com/s/files/1/0430/7196/3296/files/6424893429.pdf
    • https://cdn.shopify.com/s/files/1/0435/4310/1591/files/pevefovanosokuveti.pdf
    • https://static.usrfiles.com/ugd/57c819_50762abfbd8f40e5bf4e9fdb52491986.pdf
    • https://static.usrfiles.com/ugd/a4e402_0ad93e42c352497fb845a82a1d79592e.pdf
    • https://static.usrfiles.com/ugd/f1d680_2afa19c8cb874f4a99297c38a025be5a.pdf
    • https://static.usrfiles.com/ugd/964009_46899886e2b040618db6f53cc5d38bf9.pdf
    • https://static.usrfiles.com/ugd/67f5f7_d1a71df288ec4a75bfe3196133a9bb98.pdf
    • https://static.usrfiles.com/ugd/eda9ba_e399db633e18429b80439dd70aa75bec.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00006d9a.bin
2ce28efb32684b5710badd6667fac79c3256d0ff8cd92624d0ed752e5e3e102a		 pdf-font-stream PDF embedded font (sfnt) at offset 0x6D9A 5896 bytes
font_01_sfnt_off000081a0.bin
bc6d398ed9cbfa53e3baeba605378f5413fa8c05f1f644830d3c7342e2708f92		 pdf-font-stream PDF embedded font (sfnt) at offset 0x81A0 10316 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.