Malicious PDF — malware analysis report

Static analysis result for SHA-256 7d45cf52f10ff393…

MALICIOUS

PDF

41.8 KB Created: 2020-07-29 12:48:22 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 02c013d05221c42e11b7b1a588c48cf6 SHA-1: a6f34074bd0afe130da42bc289319bff528d1f61 SHA-256: 7d45cf52f10ff393ed61c2e8d103a02d04e8a353a60daf0756f0bf76b57235af
150 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF file contains numerous links to external websites, with a primary link identified as a malicious redirector. The document body, though heavily obfuscated, suggests a lure related to educational exercises. The presence of a malicious redirector indicates an attempt to lead the user to a harmful site, likely for further exploitation or credential harvesting.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.com/wb?keyword=les%20expansions%20du%20nom%20exercices%20corrig%C3%A9s%20pdf%20cm1
    • http://files.footballsnapbacks.com/uploads/1/3/1/4/131438439/2272731.pdf
    • http://files.thewanderingravens.com/uploads/1/3/2/6/132680822/rikirabel.pdf
    • http://files.landlockedthewebseries.com/uploads/1/3/2/6/132682723/dajefavawegej.pdf
    • http://files.landlockedt
    • https://cdn.shopify.com/s/files/1/0440/6303/1448/files/tugamizizevadezoged.pdf
    • https://cdn.shopify.com/s/files/1/0433/7015/2088/files/3095944893.pdf
    • https://cdn.shopify.com/s/files/1/0437/0500/8293/files/64892595310.pdf
    • https://cdn.shopify.com/s/files/1/0428/9835/8432/files/53607129813.pdf
    • https://cdn.shopify.com/s/files/1/0434/4299/5352/files/juremovevipitizis.pdf
    • https://cdn.shopify.com/s/files/1/0437/6212/2903/files/17390517337.pdf
    • https://cdn.shopify.com/s/files/1/0428/9835/8432/files/39858795743.pdf
    • https://cdn.shopify.com/s/files/1/0437/7188/7767/files/xilonopigo.pdf
    • https://cdn.shopify.com/s/files/1/0439/1878/6728/files/48349697816.pdf
    • https://cdn.shopify.com/s/files/1/0427/7318/4678/files/93279087001.pdf
    • https://cdn.shopify.com/s/files/1/0431/6535/2093/files/26482810410.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00006127.bin
1801e057800971dbe96b7b5977fc0fa841e9221dfec72d845a51fa37989d6e47		 pdf-font-stream PDF embedded font (sfnt) at offset 0x6127 5448 bytes
font_01_sfnt_off00007357.bin
9c760db01472eb4942f38090017900b5ec0eb578ee3dcc1f77b647be10b7bb66		 pdf-font-stream PDF embedded font (sfnt) at offset 0x7357 10788 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.