Malicious PDF — malware analysis report

Static analysis result for SHA-256 7b6f075801ac98f7…

MALICIOUS

PDF

40.8 KB Created: 2020-08-31 08:05:36 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: ae4f25737dee251c035dbc91beec19ec SHA-1: e30998c6909eb6d667b0089fe99624a2fc8dd698 SHA-256: 7b6f075801ac98f7d5d6ceec85bccb2580276b1cc958dab7b6cb4b18856b924e
150 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF contains a link that redirects to a known malicious infrastructure, identified by the PDF_MALICIOUS_REDIRECTOR_LINK heuristic. The document body, though partially corrupted, contains text related to 'us customs declaration form 6059b pdf download', suggesting a lure to trick users into clicking the malicious link. The PDF also contains a large number of external links, as indicated by the PDF_SEO_LINK_FARM heuristic, further supporting the malicious intent.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.cc/wix?keyword=us+customs+declaration+form+6059b+pdf+download
    • https://static.usrfiles.com/ugd/87a178_7f253e94e7964dbabc921f5498b7a2b9.pdf
    • https://static.usrfiles.com/ugd/e2f197_e5b892d80903403eb5b1481f75b874b9.pdf
    • https://static.usrfiles.com/ugd/2c608b_f4f3bea74034413788dbf4b25443c748.pdf
    • https://static.usrfiles.com/ugd/b8c837_6fbe8aa1ddb442968027325f89fc08b0.pdf
    • https://static.usrfiles.com/ugd/921909_55a08beed64e4194ab06a037023ad268.pdf
    • https://static.usrfiles.com/ugd/6f7357_c5b9fdfda48b4b5eafdf978e4cd3c3a2.pdf
    • https://static.usrfiles.com/ugd/724fb5_0487fcdc66c54cb791cf30d0d776c140.pdf
    • https://static.usrfiles.com/ugd/fbccce_b47514dceed345aba231deb998cdb9d8.pdf
    • https://static.usrfiles.com/ugd/58a813_92b4c3bee7854314be32a3db862c22fb.pdf
    • https://static.usrfiles.com/ugd/b8c837_c126fe0be78f4f7f905304c093dba482.pdf
    • https://static.usrfiles.com/ugd/de02f3_05d04c1f8db147e28f8fcdfbddcf24d3.pdf
    • https://cdn.shopify.com/s/files/1/0434/4964/7271/files/bird_song_notification_sound.pdf
    • https://cdn.shopify.com/s/files/1/0437/0812/1242/files/backgrounds_for_photo_editing.pdf
    • https://cdn.shopify.com/s/files/1/0435/5502/9141/files/how_to_get_discord_partner.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00005ea4.bin
60631f5a5f1bcd0a2e39509a4f136537527cc04d0e3705ac3fb2be4494c197bf		 pdf-font-stream PDF embedded font (sfnt) at offset 0x5EA4 6100 bytes
font_01_sfnt_off00007351.bin
0d0491ea9f427e2fb05276dcfc683ada3fc496ac9354a6e00ee3ce57bc381598		 pdf-font-stream PDF embedded font (sfnt) at offset 0x7351 10296 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.