Malicious PDF — malware analysis report

Static analysis result for SHA-256 541f536fb19b6a7d…

MALICIOUS

PDF

41.0 KB Created: 2020-09-19 08:53:37 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 0252f7ef6222b167b8b29833f4ad7eda SHA-1: 94d1d70470729099c9450c8095ce7c8d2903f9ba SHA-256: 541f536fb19b6a7d651aa26a2d7d803cf3a712fcaff41835edf17f81d2d655f9
150 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF contains a mass of external links, many of which point to known malicious redirectors or link farms. The primary lure appears to be a link related to 'liger for sale', which redirects to a malicious domain. This suggests a phishing or scam attempt designed to lead users to potentially harmful content.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.link/wix?keyword=liger+for+sale
    • http://pusuvej.thecrossection.com/uploads/1/3/1/8/131857590/9331777.pdf
    • http://xugebipa.lilscholarspreschool.com/uploads/1/3/1/4/131453630/63506b00f042d54.pdf
    • http://roxuf.kylanicole.org/uploads/1/3/0/7/130776246/21615.pdf
    • http://gukuxap.kmkbooks.com/uploads/1/3/1/1/131163930/c0c7b7ca875.pdf
    • http://files.learningwithdigitaltechnologies.com/uploads/1/3/1/4/131438211/lofube-pupufasinuxowos-zezeleninov-muvapote.pdf
    • http://xakab.comforttrainer.net/uploads/1/3/1/4/131452976/virokupinazixada.pdf
    • https://cdn.shopify.com/s/files/1/0435/8501/1869/files/92491044265.pdf
    • https://cdn.shopify.com/s/files/1/0428/5032/0543/files/how_to_make_different_colored_text_in_discord.pdf
    • https://cdn.shopify.com/s/files/1/0433/5622/5686/files/papuravewozonudotapox.pdf
    • https://cdn.shopify.com/s/files/1/0432/0080/7070/files/95062030404.pdf
    • https://6da3434a-0b17-441e-88ac-eb2adcadad25.filesusr.com/ugd/e2f197_09e8c0735b1445998c45e127d799be49.pdf?index=true
    • https://2e11566a-018f-46c9-a9e6-04321b272130.filesusr.com/ugd/9e53d4_a4cbdcec93f24146801f8da965f99848.pdf?index=true
    • https://f0ad52b9-c4d0-4fed-b84e-85fd45f1d6a8.filesusr.com/ugd/158fb9_0511df88754c432c816d5e1ff67bb795.pdf?index=true
    • https://14ebea45-acb7-4512-8320-3470d71ce969.filesusr.com/ugd/97634b_18597bce2b63474985ab652a40064fce.pdf?index=true
    • https://33c93ef6-047e-488a-ac44-fe3b47c28444.filesusr.com/ugd/6cabbb_820596ef6b9d499986bd14808ecf46f2.pdf?index=true
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000061be.bin
65ceab63892ce427f885175f32a91be319fbe294a314de0aa256c78f31135bca		 pdf-font-stream PDF embedded font (sfnt) at offset 0x61BE 4876 bytes
font_01_sfnt_off00007272.bin
57f9a6750c951f08567c109b14bb9665e246eb211bdae34aa22e48da034cbb2e		 pdf-font-stream PDF embedded font (sfnt) at offset 0x7272 10820 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.