Malicious PDF — malware analysis report

Static analysis result for SHA-256 89d9baa4e089cdb8…

MALICIOUS

PDF

36.1 KB Created: 2020-09-21 10:14:23 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: b92def8f1f8f83878c3b4de23984fc52 SHA-1: 6b23ee50cd71fb2e43c5088dd2bbbea43a9091f8 SHA-256: 89d9baa4e089cdb82208cb81236020a6f24480f328833d166505d8123de502b7
150 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

This PDF document contains a large number of embedded links, a common tactic for redirecting users to malicious sites. The document body, though partially corrupted, suggests a lure related to an 'income worksheet'. The heuristic firings confirm the presence of malicious redirector links and a link farm, strongly indicating a phishing or scam attempt. No scripts were extracted from this sample.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.me/wix?keyword=radian+income+worksheet
    • http://dikid.mixedsignals.ca/uploads/1/3/0/7/130776541/4bd895e5057212.pdf
    • http://wejekivux.leftinspain.com/uploads/1/3/1/4/131407995/c260ecd8d429b.pdf
    • http://files.christinaerasmus.com/uploads/1/3/1/4/131437418/zagisago.pdf
    • http://files.gricua.net/uploads/1/3/0/9/130969080/682eb18a31b.pdf
    • http://vuterop.beyondlagartococha.com/uploads/1/3/1/4/131410685/5530619.pdf
    • https://73f20602-020a-4526-9b12-bd693fb18cf8.filesusr.com/ugd/0047a4_a2ed1b2b1d424a32bdf7b1fb7d25a055.pdf?index=true
    • https://71cfd46b-4b70-4ed3-b429-0167f1db2b54.filesusr.com/ugd/41a0b6_83c1e364f59a4369b2f153835909d4fb.pdf?index=true
    • https://80385c96-ad95-40d8-a002-be44b8879613.filesusr.com/ugd/10cedf_dd89c1e80cde4575881c460c8497ed98.pdf?index=true
    • https://2cacd380-25d0-4b1b-8365-8fe49c0b65d2.filesusr.com/ugd/dcfb95_c149b7191135420f92b260dbed2348d7.pdf?index=true
    • https://8d8b8ca5-e2bd-4d2d-b06c-55ba367d025d.filesusr.com/ugd/cdb50c_0aed0de00089454da8e0c6f2e45e0b4d.pdf?index=true
    • https://2e92992d-2363-40e3-a9d3-3e20d855076a.filesusr.com/ugd/9ea91e_8ab8f15393f24a3d91ed629cb776f558.pdf?index=true
    • https://ada162d4-b88e-46fd-aadd-6bdfe36566a5.filesusr.com/ugd/a42eed_bcca7f1889ba4863a32540c9fb6b506a.pdf?index=true
    • https://424a6a2e-73f5-456b-b2c2-b8c0c77a2f37.filesusr.com/ugd/10a4aa_0934eca67c0e4010a9ca50d5765a1d46.pdf?index=true
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00004f48.bin
daf982c04adfdbd76b5715bc7e1185727b01b69b70d1e724b124f0c724901260		 pdf-font-stream PDF embedded font (sfnt) at offset 0x4F48 5308 bytes
font_01_sfnt_off00006144.bin
1d6906fe17d2f615caa59cf7a3989a584e42b2e44455dd3a02f38376e57e8dd3		 pdf-font-stream PDF embedded font (sfnt) at offset 0x6144 10220 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.