Malicious PDF — malware analysis report

Static analysis result for SHA-256 7646c253e5ef22de…

MALICIOUS

PDF

47.5 KB Created: 2020-09-04 20:51:07 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 9a36f238403e0c29eae9a8a7b1184424 SHA-1: 28e0f461e9bcfba0d206b73a5613843bdfed0f49 SHA-256: 7646c253e5ef22de095b0baa90b3a4e8dccb987cb85c1dd11abfe789a596faba
150 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF contains a critical heuristic firing for a malicious redirector link pointing to a URL that includes 'bitcoin miner legit apk'. This suggests a social engineering lure to trick the user into downloading malicious software. The document also contains a large number of external PDF links, many of which are benign, but the primary malicious link is the most concerning IOC. The ML classifier also strongly indicated maliciousness.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.link/pify?keyword=bitcoin+miner+legit+apk
    • https://cdn.shopify.com/s/files/1/0433/6379/5094/files/58711876470.pdf
    • https://cdn.shopify.com/s/files/1/0450/7552/9891/files/digital_electronics_viva_questions.pdf
    • https://cdn.shopify.com/s/files/1/0436/9340/8409/files/degevaweluxajajaj.pdf
    • https://cdn.shopify.com/s/files/1/0431/3815/4650/files/berserk_of_gluttony_novela.pdf
    • https://cdn.shopify.com/s/files/1/0431/6987/4082/files/42146827886.pdf
    • https://cdn.shopify.com/s/files/1/0435/0961/2712/files/93141232523.pdf
    • https://cdn.shopify.com/s/files/1/0429/6153/5132/files/oxford_dictionary_english_to_sindhi_free_download.pdf
    • https://static.usrfiles.com/ugd/ef253e_237a6ff0a12c4021b61eea2a1f703cef.pdf
    • https://static.usrfiles.com/ugd/89363e_afd673341de64b49bff2d777b10a708e.pdf
    • https://static.usrfiles.com/ugd/5be868_dc4f9db8a4f6407f87c65c1f697f0d47.pdf
    • https://static.usrfiles.com/ugd/73f3b0_6ff496e443204001bb8ac50f61d025f6.pdf
    • https://static.usrfiles.com/ugd/3e9e83_898f4994ea1b408e818c6213d97f62bc.pdf
    • https://static.usrfiles.com/ugd/6cf0f5_67826293f77d4f7d87141d08bdbc23d1.pdf
    • https://static.usrfiles.com/ugd/5a1791_d13c22283b724e76a04bd216b864719b.pdf
    • https://static.usrfiles.com/ugd/fc840b_951c7956226248279757f1f54893b89e.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00007a92.bin
5f367d9908ae73fd13536356fc0a2db30740eb33babfdd5506df95c7b8db2ab1		 pdf-font-stream PDF embedded font (sfnt) at offset 0x7A92 5188 bytes
font_01_sfnt_off00008c26.bin
c0625dfec3fad6ace6fa2951c266957ec032a153f9679a49aabf4999f1abb1c9		 pdf-font-stream PDF embedded font (sfnt) at offset 0x8C26 10812 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.