Malicious PDF — malware analysis report

Static analysis result for SHA-256 894225901392b738…

MALICIOUS

PDF

52.3 KB Created: 2020-08-19 02:38:09 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: f1a3e62281b652c7b36aa2d1ed091010 SHA-1: be1856b5a98772b791ca836557bd4abbb4a0693d SHA-256: 894225901392b7389595b93788b38ff9820afc3ab104c2efe761bd947fbf988d
152 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF contains a link that redirects to malicious infrastructure, as indicated by the 'PDF_MALICIOUS_REDIRECTOR_LINK' heuristic. The document body and embedded links suggest a lure related to vehicle manuals, which is a common tactic for phishing or malware delivery. The presence of a link farm further supports the malicious intent.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 4

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.cc/pify?keyword=1990+chevy+k5+blazer+owners+manual
    • http://files.shhsart.com/uploads/1/3/1/4/131437438/webejadok_lerubapopuno_todub.pdf
    • https://cdn.shopify.com/s/files/1/0433/0687/7080/files/jotinu.pdf
    • https://cdn.shopify.com/s/files/1/0434/4011/1782/files/gomewazorenewinagomu.pdf
    • https://cdn.shopify.com/s/files/1/0436/9013/1609/files/78855480529.pdf
    • https://cdn.shopify.com/s/files/1/0433/2912/6550/files/1852768755.pdf
    • https://cdn.shopify.com/s/files/1/0436/9560/3880/files/timber_frame_sawhorse_plans.pdf
    • https://cdn.shopify.com/s/files/1/0430/9765/3397/files/apostille_florida.pdf
    • https://cdn.shopify.com/s/files/1/0428/3239/6447/files/kajosilusigurape.pdf
    • https://cdn.shopify.com/s/files/1/0434/6878/3768/files/36499510696.pdf
    • https://cdn.shopify.com/s/files/1/0432/5995/3312/files/gepilupegowu.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000791e.bin
af6f4dacc849da6d45dd002d93e6d9cd41e481882a53e635a3b76b1e60bbf2e5		 pdf-font-stream PDF embedded font (sfnt) at offset 0x791E 5928 bytes
font_01_sfnt_off00008d3d.bin
bf5254e500cff1aabcf5813223c9ac550dda8016ccd12d44534375feb7ed3a51		 pdf-font-stream PDF embedded font (sfnt) at offset 0x8D3D 9968 bytes
font_02_sfnt_off0000af8f.bin
ae97ebdbf5cb6679ee3ae7f6f8963da9ec2437ada1f672a33085bc8cbe806833		 pdf-font-stream PDF embedded font (sfnt) at offset 0xAF8F 16060 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.