Malicious PDF — malware analysis report

Static analysis result for SHA-256 8f36f3356b24753f…

MALICIOUS

PDF

230.8 KB Created: 2020-08-06 06:50:49 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: b6f74ca3926050a0c7b12d0203800632 SHA-1: 0bd5b1507aaa2833870a38292873a9a08112a5c0 SHA-256: 8f36f3356b24753f96a0a8a9de1da6aed6a343c0092965745edad2fc811b080b
90 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell T1204.002 Malicious Link

The PDF contains a link that redirects to a known malicious domain, as indicated by the PDF_MALICIOUS_REDIRECTOR_LINK heuristic. The document body, though heavily obfuscated, contains the URL which is likely intended to trick the user into downloading further malicious content. The ML classifier also strongly suggests maliciousness.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9997

Heuristics 2

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.ru/pify?keyword=mueller+report+redacted+pdf
    • http://files.emilycavanaghauthor.com/uploads/1/3/2/6/132680808/6793363.pdf
    • http://files.gabrielledeveaux.com/uploads/1/3/1/4/131407980/masum.pdf
    • http://files.moanxiety.com/uploads/1/3/1/4/131453588/dedonepepedewi_fiwikajozasav_dazodijo_worebogum.pdf
    • http://files.angelfirevet.com/uploads/1/3/0/7/130776590/b97232acb9.pdf
    • http://vogeta.utezahnviolinmaker.com/uploads/1/3/0/9/130969551/ladula-kulanikezijurad-jugaxegado.pdf
    • https://cdn.shopify.com/s/files/1/0434/0776/9750/files/forekukojebebowekepimimeb.pdf
    • https://cdn.shopify.com/s/files/1/0437/8587/9713/files/star_wars_armada_cards.pdf
    • https://cdn.shopify.com/s/files/1/0433/8801/0659/files/dunadunere.pdf
    • https://cdn.shopify.com/s/files/1/0429/3551/7337/files/wisiwovukogelupobarawap.pdf
    • https://cdn.shopify.com/s/files/1/0438/4777/8469/files/mujumo.pdf
    • https://cdn.shopify.com/s/files/1/0434/7265/0397/files/kanojupoxuvokonob.pdf
    • https://cdn.shopify.com/s/files/1/0430/1311/1961/files/49272284060.pdf
    • https://cdn.shopify.com/s/files/1/0437/1136/5288/files/how_to_install_selenium_python.pdf
    • https://cdn.shopify.com/s/files/1/0432/5995/3312/files/apocrifos_del_antiguo_testamento_tomo_3.pdf
    • https://cdn.shopify.com/s/files/1/0434/5564/3813/files/xopadidavixab.pdf
    • https://cdn.shopify.com/s/files/1/0437/2204/7637/files/revised_atlanta_classification_for_acute_pancreatitis_a_pictorial_essay.pdf
    • https://cdn.shopify.com/s/files/1/0435/2717/6343/files/rewrite_exercises_b1.pdf
    • https://cdn.shopify.com/s/files/1/0436/0051/1138/files/xofonowitabezopop.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00034f02.bin
0947f32e7d6512c8d665ef5e97851555bb2cde3eee9e5e83f53294af011a6dd3		 pdf-font-stream PDF embedded font (sfnt) at offset 0x34F02 4976 bytes
font_01_sfnt_off0003600f.bin
bbf05485491aa4c960f0a91edc63bea2042d8cfd29cc9859fd086dc14696423b		 pdf-font-stream PDF embedded font (sfnt) at offset 0x3600F 13956 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.