Malicious PDF — malware analysis report

Static analysis result for SHA-256 54dc3bcdaf8ca42d…

MALICIOUS

PDF

60.9 KB Created: 2020-09-18 09:00:08 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: e7147e8988f0f0378d61cfcdceff09c2 SHA-1: f3438292add3b84a5d833ae6ee77150c4dd99805 SHA-256: 54dc3bcdaf8ca42dae182897b6e2fe42c1caee6e3cb5871094a26f7d356f3bb0
154 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF contains a link to a known malicious redirector, indicating a phishing or malware delivery attempt. The document body, though obfuscated, contains the text 'Arthropod poetry answers' and the malicious URL, suggesting a lure. The presence of a large number of external PDF links also points to a link farm, a common tactic for SEO poisoning or distributing malicious content. No scripts were extracted from this sample.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 4

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.link/pify?keyword=arthropod+poetry+answers
    • https://a6db0fef-5292-43d9-9434-f76781542acf.filesusr.com/ugd/738632_ef7ba57846984567bdfac19484a09e32.pdf?index=true
    • https://91f9e142-1281-473f-b1a4-a101eccdda09.filesusr.com/ugd/510a18_ffde569e87e347788a371be3db79e139.pdf?index=true
    • https://25d623f8-2c3e-43cf-890a-5c869682e4f4.filesusr.com/ugd/89c6ad_f6315ff54c2e499f8bc2c28e09e14750.pdf?index=true
    • https://80c88fb1-b575-4e8c-8d1e-7a2c8aad58a3.filesusr.com/ugd/f17c08_85d370a694114130b58c104e6bbf6bda.pdf?index=true
    • https://1a98af38-2636-487a-9bec-260ebc7bfda8.filesusr.com/ugd/067ecb_db32d3b3fe8c4e36aedd821549f35750.pdf?index=true
    • https://d85f1f42-50c6-4af2-9207-360233ab4f92.filesusr.com/ugd/122077_e7f3baef176d447bbe5982489876fe7f.pdf?index=true
    • https://47d14812-0f42-449d-8ef5-103c094124f3.filesusr.com/ugd/3b0c81_67ad25cceab646e4afd6bba7baefffd8.pdf?index=true
    • https://6ae4071f-0778-4cb2-90d0-d7b09e8fbc93.filesusr.com/ugd/1cc777_f8e0a868ef2a44169c268ed0035f36a2.pdf?index=true
    • https://14ebea45-acb7-4512-8320-3470d71ce969.filesusr.com/ugd/97634b_18597bce2b63474985ab652a40064fce.pdf?index=true
    • https://cc0cc181-a939-4767-ba62-7e355de73bb2.filesusr.com/ugd/6e13d9_f213fb9872a74806ac0cce4a518a57cb.pdf?index=true
    • https://af591e4f-daaf-4685-a131-d67185808cb9.filesusr.com/ugd/312e0e_c4671e86dd664af89be82d5644024329.pdf?index=true
    • https://fc00db4a-e252-4578-9f4b-a855974103a5.filesusr.com/ugd/668a47_cbbe7a04bdf0486b8b4f57727beaed6d.pdf?index=true
    • https://b887894b-d943-4ade-a681-b21133670c73.filesusr.com/ugd/90661f_cbcb4ea115c64209935673464557c00e.pdf?index=true
    • https://c3b367ca-c7e3-4be7-9e24-f359b464476d.filesusr.com/ugd/65b209_86451bed7d03422dba838fb5c7982d33.pdf?index=true
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000a49b.bin
077f8457a790e092fa430d4b3f5d2979e4dec96fdf73b3cf8fc4a2ede9753d18		 pdf-font-stream PDF embedded font (sfnt) at offset 0xA49B 4936 bytes
font_01_sfnt_off0000b565.bin
2fd36f259441dc9f2cc261562e07424a75effcedfd004c04e05ec54c2095941a		 pdf-font-stream PDF embedded font (sfnt) at offset 0xB565 10188 bytes
font_02_sfnt_off0000d834.bin
ff5f0ef16caf3e97cd1984b3a03ea88e11eab8cf63d2ee006085a4b9995833f3		 pdf-font-stream PDF embedded font (sfnt) at offset 0xD834 4324 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.