Malicious PDF — malware analysis report

Static analysis result for SHA-256 507b39eb837baa4c…

MALICIOUS

PDF

40.5 KB Created: 2020-08-31 11:00:06 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: a3fb63cd1bf8f76de4dcdd985df7a98c SHA-1: 739282a3e5bd5ba2111a298bb75ec565483ff8a3 SHA-256: 507b39eb837baa4cff635d73da542c93e0ce254756aeb3b45e550a26fce9d0f3
150 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF contains a link that redirects to a malicious domain, identified by the PDF_MALICIOUS_REDIRECTOR_LINK heuristic. The document body, though heavily obfuscated, contains the URL 'https://ttraff.cc/wix?keyword=rabbitmq+in+depth', suggesting a lure to a malicious site. The PDF also contains a large number of external links, as indicated by the PDF_SEO_LINK_FARM heuristic, further supporting a malicious intent to drive traffic to potentially harmful content.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.cc/wix?keyword=rabbitmq+in+depth
    • https://cdn.shopify.com/s/files/1/0429/7788/6367/files/zivaxudafajaguril.pdf
    • https://cdn.shopify.com/s/files/1/0430/8107/2789/files/10274356414.pdf
    • https://cdn.shopify.com/s/files/1/0435/2960/1175/files/bowflex_powerpro_xtl.pdf
    • https://cdn.shopify.com/s/files/1/0431/0489/5143/files/apsara_aali_marathi_song_pagalworld.pdf
    • https://static.usrfiles.com/ugd/b8c837_03e43f3c253b4dedb96b00dbd9981e3e.pdf
    • https://static.usrfiles.com/ugd/865d50_5a122037d2024aa8b6bd0da9e4ca9d4d.pdf
    • https://static.usrfiles.com/ugd/345929_6ed9766aee104591b9d19bc8847422d0.pdf
    • https://static.usrfiles.com/ugd/b6edda_6f6413da1e654b53b85f3e636fe886f8.pdf
    • https://static.usrfiles.com/ugd/0d002d_123a957a53674871a401b78fc4cec6b9.pdf
    • https://cdn.shopify.com/s/files/1/0438/5275/9200/files/dod_interagency_agreement_template.pdf
    • https://cdn.shopify.com/s/files/1/0436/5893/6473/files/bludgeon_brothers_theme.pdf
    • https://cdn.shopify.com/s/files/1/0430/1111/3123/files/python_create_directory.pdf
    • https://cdn.shopify.com/s/files/1/0434/5813/4182/files/37859804180.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00006199.bin
2b6087f6f594fadae6690c3654dcfeb5aa97b62c6f878d0ada2d22e5d3f23740		 pdf-font-stream PDF embedded font (sfnt) at offset 0x6199 5164 bytes
font_01_sfnt_off000072f9.bin
4529506805d76fedf613690a415d64f2d930d95fefa3d724b38152eb13b1aca7		 pdf-font-stream PDF embedded font (sfnt) at offset 0x72F9 10060 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.