Malicious PDF — malware analysis report

Static analysis result for SHA-256 58b21e33ccde34d7…

MALICIOUS

PDF

42.3 KB Created: 2020-09-05 01:33:23 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 04541df13e535185a811139c9fa92d3c SHA-1: 7061c8a26cc874e57691dbd9c7b533ba9237857b SHA-256: 58b21e33ccde34d7bd57f115b4a92d42f5779d66ec929594ddb5be744deb5ff6
150 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF contains a large number of embedded links, with a critical heuristic firing for a PDF link farm. One of the primary links, 'https://ttraff.me/wix?keyword=adform+kiemelis+facebook', is flagged as a malicious redirector. The document body, though heavily obfuscated, also contains this URL, suggesting the document's purpose is to direct users to malicious infrastructure. No scripts were extracted from this sample.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.me/wix?keyword=adform+kiemelis+facebook
    • https://static.usrfiles.com/ugd/fe83c3_654a610060044b3e8493430668847e2d.pdf
    • https://static.usrfiles.com/ugd/d162e3_8de1fe2730e44db1b5fd2d3c13cca596.pdf
    • https://static.usrfiles.com/ugd/b8c837_2f68eb444f0f46489efea14ce3ee0019.pdf
    • https://static.usrfiles.com/ugd/4c1554_20780dc7fc4f443498c410f8dec0449b.pdf
    • https://static.usrfiles.com/ugd/6f58fb_e9f0baea9ba64aed86ce1d61004baa1c.pdf
    • https://static.usrfiles.com/ugd/76156b_8aa4e3a5750e463e85d8d81ee12d1736.pdf
    • https://static.usrfiles.com/ugd/e4d7df_1ac69ea60d554677ba206783ea74db83.pdf
    • https://static.usrfiles.com/ugd/e3ff21_70adef58fdd34cadb32cb5487f30cc4b.pdf
    • https://cdn.shopify.com/s/files/1/0431/5440/7580/files/vomapigokogajelejovubagew.pdf
    • https://cdn.shopify.com/s/files/1/0428/9835/8432/files/13908697451.pdf
    • https://cdn.shopify.com/s/files/1/0431/5460/4198/files/galalivenekegukatetuna.pdf
    • https://cdn.shopify.com/s/files/1/0440/5942/6968/files/andres_oppenheimer_libros_gratis.pdf
    • https://cdn.shopify.com/s/files/1/0436/8505/2566/files/descargar_calendario_lunar_2020.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000062c0.bin
168f975ff6b3075a281000ab8fad756d556f4ed649c5cfc0b596cf958809e2d0		 pdf-font-stream PDF embedded font (sfnt) at offset 0x62C0 5360 bytes
font_01_sfnt_off000074e4.bin
5df62dbbf391d089717ec295094390ac6301c46b98e0b5915c104bb0459e55a4		 pdf-font-stream PDF embedded font (sfnt) at offset 0x74E4 11908 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.