Malicious PDF — malware analysis report

Static analysis result for SHA-256 597197d2ae328951…

MALICIOUS

PDF

38.5 KB Created: 2020-08-29 04:17:59 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: a4fcf64d7297e5207b433c6cdc2b5e25 SHA-1: 369387d39d6ec63055078972e2f63db363b55f1d SHA-256: 597197d2ae32895157a8097db31a8c7535f63dc9a1463d97a0e617be6aed40d2
150 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF contains a critical heuristic firing for a malicious redirector link, which is also present in the document body and the extracted URLs. The document appears to be a lure, disguised as a Toyota manual, to entice users to click the malicious link. The presence of a large number of external PDF links also suggests a link farm, a common tactic for SEO poisoning or distributing malicious content.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.me/wix?keyword=manuale+sistema+multimediale+toyota
    • https://static.usrfiles.com/ugd/b8c837_3be6d8a7088b43f1914a2bec883e7a1c.pdf
    • https://static.usrfiles.com/ugd/b8c837_99ea93d438a34e9a980688eeb3c53495.pdf
    • https://static.usrfiles.com/ugd/b8c837_04709d29d7f440bb9faddb0415b5f13f.pdf
    • https://cdn.shopify.com/s/files/1/0430/1104/7575/files/54101006008.pdf
    • https://static.usrfiles.com/ugd/b8c837_1a9516e8b5b54587bc831b248c94f678.pdf
    • https://static.usrfiles.com/ugd/b8c837_fffc3add1a194ecb8ad92f23bd26b7d5.pdf
    • https://static.usrfiles.com/ugd/b8c837_79a4e57205f04ba58e0393a2ba477be0.pdf
    • https://static.usrfiles.com/ugd/b8c837_94f947be39e6411f9dfd343c436112b2.pdf
    • https://cdn.shopify.com/s/files/1/0428/5107/4214/files/46812216462.pdf
    • https://cdn.shopify.com/s/files/1/0463/1330/8325/files/54336726014.pdf
    • https://cdn.shopify.com/s/files/1/0432/9222/9797/files/gun_mayhem_2_unblocked.pdf
    • https://cdn.shopify.com/s/files/1/0432/6876/7907/files/dutejulalesi.pdf
    • https://cdn.shopify.com/s/files/1/0434/0822/8508/files/bartolomeo_scappi_opera.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00005815.bin
d65f09b89eb8d5d6b5dbd6cde7e9cad933d08d6d46416a42b769675a3a557403		 pdf-font-stream PDF embedded font (sfnt) at offset 0x5815 4984 bytes
font_01_sfnt_off000068ff.bin
fd9b8424bdcbeda7b35ed7bab19f572bea3b5785feb87316d25286102054f8b8		 pdf-font-stream PDF embedded font (sfnt) at offset 0x68FF 11088 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.