Malicious PDF — malware analysis report

Static analysis result for SHA-256 785a23a4d81f427e…

MALICIOUS

PDF

41.8 KB Created: 2020-08-23 20:44:48 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: bbd4f521da0bd52a0c73a8727f7681fe SHA-1: dc88ec9866eec865097e0e4926ac8d48f9d5d455 SHA-256: 785a23a4d81f427e0028190da0c47cd7edf075ebe4fbde517149d55a61bc68cd
150 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious File

The PDF contains a significant number of embedded links, with one specifically identified as a malicious redirector. The heuristic 'PDF_SEO_LINK_FARM' indicates a mass of external PDF links, suggesting an attempt to manipulate search engine results or distribute malicious content. The ML classifier also strongly flagged this PDF as malicious. The presence of the 'honeywell thermostat app' keyword in the malicious redirector URL suggests a potential lure.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.com/pify?keyword=honeywell+thermostat+app
    • http://files.isiscommunitytheatre.com/uploads/1/3/1/4/131438682/nodofurixug.pdf
    • http://files.wicklowart.com/uploads/1/3/0/9/130968956/mikudox-zutotep-lulamubeg.pdf
    • http://dekafen.rqgenesis.co/uploads/1/3/2/6/132681394/benonufiniratigelon.pdf
    • http://files.embracemyanmar.com/uploads/1/3/0/8/130814411/koludulasamora-bujozejon-tuvorim.pdf
    • http://files.helenmathermusic.com/uploads/1/3/0/7/130740625/kesixokibarajab-vorogasen-divinemudek-fudixuliku.pdf
    • https://cdn.shopify.com/s/files/1/0447/1426/2682/files/bhojpuri_gana_2019_ka_ing.pdf
    • https://cdn.shopify.com/s/files/1/0430/8353/0394/files/dibaviranadadafulikowuwaj.pdf
    • https://cdn.shopify.com/s/files/1/0431/5611/1520/files/74625178182.pdf
    • https://cdn.shopify.com/s/files/1/0437/6661/2119/files/agile_development_model.pdf
    • https://cdn.shopify.com/s/files/1/0432/6372/1637/files/98013423145.pdf
    • https://cdn.shopify.com/s/files/1/0437/1962/2808/files/23402310184.pdf
    • https://cdn.shopify.com/s/files/1/0432/6853/8521/files/p90x_workout_book.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000650b.bin
aea958d5000fa6749cb96fdeba7eeaf47fadfcd8043c9a6aa4bfe03e8a7e319f		 pdf-font-stream PDF embedded font (sfnt) at offset 0x650B 5212 bytes
font_01_sfnt_off000076a9.bin
999d44e97f75e045553e3da11018a9dcf6421bd009ddeb6b9b372527ddf4d499		 pdf-font-stream PDF embedded font (sfnt) at offset 0x76A9 10604 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.