Malicious PDF — malware analysis report

Static analysis result for SHA-256 7dfb999e54365a5c…

MALICIOUS

PDF

49.0 KB Created: 2020-08-05 17:06:33 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: bc3d5ee9ec9ca2f0d2c440cee7eae7bc SHA-1: ccc5df6557b30838ff3a952454f8931911d83a69 SHA-256: 7dfb999e54365a5c26087f481df8bdc2abc829f2eb5d3430b8ec38b3f6a55978
150 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF contains a large number of embedded links, many of which point to external PDF files hosted on various domains, including a known malicious redirector. The primary lure appears to be a free download of the Bhagavad Gita, which is a common tactic for SEO-based link farms and phishing. The ML classifier also strongly indicated maliciousness.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.com/pify?keyword=bhagavad+gita+online+free+download+pdf
    • http://files.dutchhillfarm.shop/uploads/1/3/1/4/131407102/5370617.pdf
    • http://files.newseedspriory.org/uploads/1/3/0/8/130814459/3964854.pdf
    • http://files.potofgreenflorist.com/uploads/1/3/2/8/132814166/xesemafafedibu.pdf
    • http://files.keyuped.com/uploads/1/3/1/4/131437834/gegujibupul-xoxutoreja.pdf
    • http://files.undergroundcomedyfest.com/uploads/1/3/0/8/130814234/582a1a69.pdf
    • https://cdn.shopify.com/s/files/1/0433/0687/7080/files/pusowa.pdf
    • https://cdn.shopify.com/s/files/1/0437/3217/2965/files/42296246059.pdf
    • https://cdn.shopify.com/s/files/1/0434/4227/4454/files/nivadenanexe.pdf
    • https://cdn.shopify.com/s/files/1/0431/6309/1112/files/28423990977.pdf
    • https://cdn.shopify.com/s/files/1/0433/9384/3358/files/tamotafavovariwawopeb.pdf
    • https://cdn.shopify.com/s/files/1/0431/0876/1751/files/xarurovunukadedidufebase.pdf
    • https://cdn.shopify.com/s/files/1/0429/0733/6857/files/24815311987.pdf
    • https://cdn.shopify.com/s/files/1/0437/5350/4917/files/64084190530.pdf
    • https://cdn.shopify.com/s/files/1/0428/1755/2543/files/82914422573.pdf
    • https://cdn.shopify.com/s/files/1/0437/8548/6485/files/57773131342.pdf
    • https://cdn.shopify.com/s/files/1/0433/4790/2629/files/17099731592.pdf
    • https://cdn.shopify.com/s/files/1/0433/0687/7080/files/tijubijevuvikupox.pdf
    • https://cdn.shopify.com/s/files/1/0428/9835/8432/files/75904593322.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000822e.bin
53817d759e88baab76129fc6c79c4e6a210dfefcbe4cd2d1afc216cdc5fdae6c		 pdf-font-stream PDF embedded font (sfnt) at offset 0x822E 5328 bytes
font_01_sfnt_off00009467.bin
bff99f27da63aa2b03983f09babfddc147de4cae9bef82cc82d199bb2e0f2543		 pdf-font-stream PDF embedded font (sfnt) at offset 0x9467 10088 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.