Malicious PDF — malware analysis report

Static analysis result for SHA-256 842a97450eefa31f…

MALICIOUS

PDF

65.3 KB Created: 2020-08-09 14:58:42 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: b6e2618888d2ec3a16ef8c80b1fe34f5 SHA-1: 6aef7bb0181ca3ea2bfd9e07e4967571b3fb3554 SHA-256: 842a97450eefa31fa379b51c2e6b4c9aa7c3647de5e765708a75c3e766ff0bbb
150 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF contains a mass external link farm, with one link pointing to a known malicious redirector. The document body, though heavily obfuscated, contains the URL that triggers the heuristic. The presence of numerous links suggests an attempt to distribute malicious content or engage in SEO manipulation for malicious purposes. The ML classifier strongly indicates maliciousness.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.ru/pify?keyword=new+technology+in+construction+pdf
    • http://botut.yvonneblack.com/uploads/1/3/1/1/131164250/gubibiv_zulofasebukipi_tutejadokup.pdf
    • http://files.theelephantstudio.com/uploads/1/3/1/4/131453465/2b082a24899c84.pdf
    • http://files.mendocinosportsclub.com/uploads/1/3/2/8/132815924/89985.pdf
    • https://cdn.shopify.com/s/files/1/0428/3046/3142/files/37245554089.pdf
    • https://cdn.shopify.com/s/files/1/0430/8526/7097/files/ashtalakshmi_stotram_in_telugu.pdf
    • https://cdn.shopify.com/s/files/1/0428/9835/8432/files/dutevitijenunolekegek.pdf
    • https://cdn.shopify.com/s/files/1/0437/8561/7570/files/pazawamolor.pdf
    • https://cdn.shopify.com/s/files/1/0432/1683/0632/files/keduwelojolepeb.pdf
    • https://cdn.shopify.com/s/files/1/0433/0687/7080/files/zilifevuzumojewod.pdf
    • https://cdn.shopify.com/s/files/1/0428/7214/4038/files/nilitizofuwitumutowuf.pdf
    • https://cdn.shopify.com/s/files/1/0432/0667/2546/files/data_warehouse_lifecycle_toolkit.pdf
    • https://cdn.shopify.com/s/files/1/0430/7792/7063/files/pubulekurimanam.pdf
    • https://cdn.shopify.com/s/files/1/0432/6300/0736/files/carburetor_working_principle.pdf
    • https://cdn.shopify.com/s/files/1/0431/5047/5413/files/bosch_automotive_handbook_29th_edition.pdf
    • https://cdn.shopify.com/s/files/1/0435/3123/9588/files/74085470189.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000c3db.bin
fda565d6c2e600a4eb19c6cadd5b0dc0710ce2f49e0f605ef186d1e8e0424d0b		 pdf-font-stream PDF embedded font (sfnt) at offset 0xC3DB 5368 bytes
font_01_sfnt_off0000d640.bin
3d5bff6cf7d54d2fa00815bda694df66b83ba7170870e0d2885b1603c59e2630		 pdf-font-stream PDF embedded font (sfnt) at offset 0xD640 9872 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.