Malicious PDF — malware analysis report

Static analysis result for SHA-256 7bbc1e412e93125f…

MALICIOUS

PDF

71.6 KB Created: 2020-09-01 08:42:43 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: b4dbcf2dc485030e32c183e0929ce4a1 SHA-1: ea5ef27e4f1cea5b82417fb5463db7795f2b2b60 SHA-256: 7bbc1e412e93125f08dcf273ebf34b66ddd6d0f904e7b17dde8572367f489fa0
150 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF contains embedded links that redirect to a known malicious domain, identified by the PDF_MALICIOUS_REDIRECTOR_LINK heuristic. The document body, though heavily obfuscated, contains a URL that matches the malicious redirector. The ML classifier also strongly indicated maliciousness. The primary attack vector appears to be social engineering, luring users to a malicious site under the guise of a cheat sheet.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9999

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.ru/wix?keyword=alchemy+2+cheat+sheet
    • https://static.usrfiles.com/ugd/b13fd1_6fd45f15772d4eb8bc364906f9c5b7a1.pdf
    • https://static.usrfiles.com/ugd/12745a_649ffc55e1a846ffb10fcc872a27882c.pdf
    • https://static.usrfiles.com/ugd/50c35f_197102466072461da2306bf2f4b89cdc.pdf
    • https://cdn.shopify.com/s/files/1/0434/8936/2082/files/zejuzowolaraxazedo.pdf
    • https://cdn.shopify.com/s/files/1/0435/5316/1367/files/27329482807.pdf
    • https://cdn.shopify.com/s/files/1/0434/1006/3527/files/play_store_speed_very_slow.pdf
    • https://cdn.shopify.com/s/files/1/0439/2147/3691/files/56672893821.pdf
    • https://cdn.shopify.com/s/files/1/0439/1026/7035/files/drake_l4b_amplifier.pdf
    • https://cdn.shopify.com/s/files/1/0433/6808/7711/files/biodiversity_hotspots_in_pakistan.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000d4d6.bin
f314b17656d98d2701fa5c1e86456ce6291ef7b6f15ca377585765177ee15b86		 pdf-font-stream PDF embedded font (sfnt) at offset 0xD4D6 5168 bytes
font_01_sfnt_off0000e649.bin
dd978fb90d7b77384f0db3b3722d2f65987352d5f0f6adedd8c3481c757524c6		 pdf-font-stream PDF embedded font (sfnt) at offset 0xE649 13880 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.