Malicious PDF — malware analysis report

Static analysis result for SHA-256 8159eba176382b58…

MALICIOUS

PDF

32.1 KB Created: 2020-09-21 13:44:09 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 034ab9642abe6e8798e7dfa9333cbd3e SHA-1: 1c4ad856a573c7b94528fdaad8d9a372219cbeeb SHA-256: 8159eba176382b588a72d1d46371bd2e53f79498e68e8a5a6916261f1957f68e
150 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF contains a prominent link promising free coloring pencils, which is a common lure for phishing or malware delivery. This link redirects to a known malicious infrastructure. The PDF also contains a large number of links to other PDFs hosted on Shopify, likely for SEO manipulation or to obscure the malicious redirector. The ML classifier strongly flagged this PDF as malicious.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.link/wix?keyword=free+colouring+pencils
    • https://cdn.shopify.com/s/files/1/0432/1853/4557/files/kayla_itsines_help_guide.pdf
    • https://cdn.shopify.com/s/files/1/0431/8058/9207/files/gulejojagimev.pdf
    • https://cdn.shopify.com/s/files/1/0429/1090/8572/files/tifapapanakigetogixefo.pdf
    • https://cdn.shopify.com/s/files/1/0449/8302/5823/files/caught_synonym_formal.pdf
    • https://0c92e5bb-a733-411c-b0b2-fffcef348f90.filesusr.com/ugd/15cd4d_13b7ce3557614bc39c98933969312462.pdf?index=true
    • https://44628071-a0c4-4d8d-ae12-0b72158db478.filesusr.com/ugd/dd6616_38fce8168af9499fae95a76f9cfd8316.pdf?index=true
    • https://b70bde96-db16-4d9f-97ae-f65637d2ed1e.filesusr.com/ugd/440e29_d70b3a4e44ff4446a527ec8d77168b24.pdf?index=true
    • https://3a28d287-3ef8-4ec1-b820-e9f075e31f4e.filesusr.com/ugd/ce4b7c_932a46b12f4e414ba9158371061d4708.pdf?index=true
    • https://cdn.shopify.com/s/files/1/0434/3051/0758/files/20_most_difficult_interview_questions_and_answers.pdf
    • https://cdn.shopify.com/s/files/1/0439/1115/1768/files/bapasofigakasorutizara.pdf
    • https://cdn.shopify.com/s/files/1/0464/5496/4392/files/logo_quiz_answers_level_58.pdf
    • https://cdn.shopify.com/s/files/1/0431/1669/1612/files/wedding_card_design_template.pdf
    • https://cdn.shopify.com/s/files/1/0432/6277/1366/files/29352676072.pdf
    • https://cdn.shopify.com/s/files/1/0438/1255/2864/files/xp_chart_5e.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000043d6.bin
53c5c71957dee8ec7b8f03de1fab6f10a63cdbc6997a1fc9ba89203d60a2aec6		 pdf-font-stream PDF embedded font (sfnt) at offset 0x43D6 4848 bytes
font_01_sfnt_off0000546c.bin
dab657c5a34cb1ec8a28b8e0e7ad45720da938a9a94b83552867ea81f88d7a55		 pdf-font-stream PDF embedded font (sfnt) at offset 0x546C 9296 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.