Malicious PDF — malware analysis report

Static analysis result for SHA-256 52540bdd0e222b39…

MALICIOUS

PDF

41.2 KB Created: 2020-08-26 09:33:20 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: b570af1af069fe078f627951c01240c2 SHA-1: c26091be9d8df46019ef945782fbad126a036d9e SHA-256: 52540bdd0e222b3937cb1f348c3dcac45c47c0adcf3ef74c1a158c8a7518a7df
150 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF contains a link that redirects to a known malicious infrastructure, identified by the PDF_MALICIOUS_REDIRECTOR_LINK heuristic. The document body, though heavily obfuscated, contains the URL that is also present in the heuristics and the URL list. This suggests the primary purpose is to redirect the user to a malicious site, likely for further exploitation or phishing. The PDF_SEO_LINK_FARM heuristic indicates a large number of outbound links, many pointing to Shopify, which is often used to host benign content but in this context appears to be part of a link farm to obscure the malicious redirector.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.com/pify?keyword=makkar+ielts+speaking+pdf+download+september+2019
    • http://files.lisariehl.com/uploads/1/3/2/6/132681891/bamulelibabogo.pdf
    • http://files.michaelgierl.com/uploads/1/3/0/8/130874326/beroniditenabeb.pdf
    • https://cdn.shopify.com/s/files/1/0432/7692/7141/files/78582815177.pdf
    • https://cdn.shopify.com/s/files/1/0438/6196/7013/files/thesis_on_agricultural_extension_and_rural_development.pdf
    • https://cdn.shopify.com/s/files/1/0435/3110/8504/files/21778126728.pdf
    • https://cdn.shopify.com/s/files/1/0432/2348/2525/files/63722439891.pdf
    • https://cdn.shopify.com/s/files/1/0438/4351/8629/files/66634737954.pdf
    • https://cdn.shopify.com/s/files/1/0438/3608/0288/files/kedevejakokudevananug.pdf
    • https://cdn.shopify.com/s/files/1/0443/6302/2492/files/solid_waste_management_practices_thesis.pdf
    • https://cdn.shopify.com/s/files/1/0431/9074/7293/files/70480869923.pdf
    • https://cdn.shopify.com/s/files/1/0430/2117/2897/files/5e_descent_into_avernus_download.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000053e5.bin
4e3c1c0065f2a2e2db7d36a8d698a469690ed7455c920d16b24a594acfa92a44		 pdf-font-stream PDF embedded font (sfnt) at offset 0x53E5 5932 bytes
font_01_sfnt_off00006817.bin
768f3d338e3e3c07e01dec6265a75c556467344e0a1da1d3475a7079f543cfc4		 pdf-font-stream PDF embedded font (sfnt) at offset 0x6817 9908 bytes
font_02_sfnt_off000089f5.bin
1062cd8ddf90f4344fa193b395386d5669df1a952e5759311ca261a71931f361		 pdf-font-stream PDF embedded font (sfnt) at offset 0x89F5 4324 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.