Malicious PDF — malware analysis report

Static analysis result for SHA-256 90ed16b25819fffb…

MALICIOUS

PDF

53.5 KB Created: 2020-09-01 07:22:16 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: eb2457cfe7a0cc3d304df7c60f4c4eb1 SHA-1: 6ceb5cc15dab0daad3c0a9614ea0a783dabf6a89 SHA-256: 90ed16b25819fffbfa2aa312e78fadf8a58f704d79da936fc6ba5b933ccb0f75
154 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF contains a link disguised with a movie title, which is a common social engineering tactic to trick users into clicking. The link points to a known malicious redirector, indicating a phishing or malware distribution attempt. The ML classifier also strongly flagged this PDF as malicious.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 4

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.com/wix?keyword=robin+hood+movie+2018+parents+guide
    • https://static.usrfiles.com/ugd/7d21c0_66cc32e668e044afa45c6ef8a53de165.pdf
    • https://static.usrfiles.com/ugd/ce14f3_58fd03ad293f431084ee98fe5fa6261a.pdf
    • https://static.usrfiles.com/ugd/7f16bd_f5aa22dfff1c43f194da8454cdd373d3.pdf
    • https://static.usrfiles.com/ugd/90423f_37854fb52054438da4bc12cbc1504662.pdf
    • https://static.usrfiles.com/ugd/4c76bf_6b6822d934a045d582fb5caa9fdb3c10.pdf
    • https://static.usrfiles.com/ugd/63d3ad_f8f0e23a877044a7bcae92bff1ba9a9e.pdf
    • https://static.usrfiles.com/ugd/b8c837_976822f605494c2280f25cbafcfbd61d.pdf
    • https://static.usrfiles.com/ugd/1cc777_f8998161a4f240689bbf02515cf09cb6.pdf
    • https://static.usrfiles.com/ugd/b8c837_f1ecf845b4e84769b685920271feb4ac.pdf
    • https://static.usrfiles.com/ugd/912de2_783c0bcbad98494d88092b6dd3f6a3ea.pdf
    • https://static.usrfiles.com/ugd/93c935_3b65f6d3e9174fb68d01023ed931631c.pdf
    • https://static.usrfiles.com/ugd/3bf302_48aea49d902e4156953980e9c3c7f060.pdf
    • https://static.usrfiles.com/ugd/f515ca_201e8eaed7984294b413d87354f25b1c.pdf
    • https://static.usrfiles.com/ugd/23b571_400be7a81e9f44498a8d19242bafb57c.pdf
    • https://static.usrfiles.com/ugd/a43ec6_0548d3e4c09b4e708605abcf4d2c950a.pdf
    • https://static.usrfiles.com/ugd/ca300b_0b9fdd1f02fc4822ba5245dae96da776.pdf
    • https://static.usrfiles.com/ugd/430cb2_169ca510ec31474d9cc69eb0f90f9cf5.pdf
    • https://static.usrfiles.com/ugd/510a18_70e37102ec3a45c8af06588737de4c73.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00008331.bin
7aef89227b0279d62fb299b8382d60b9400d5573a42e8ee5d6afb9bd9033f156		 pdf-font-stream PDF embedded font (sfnt) at offset 0x8331 5948 bytes
font_01_sfnt_off0000973d.bin
bd6b0fc0c6332ab175276894e1d13946482bc64fb623a3a9bbb87309d53c8a9f		 pdf-font-stream PDF embedded font (sfnt) at offset 0x973D 10368 bytes
font_02_sfnt_off0000babd.bin
d1f4a20f0e35a0564be54678b929bb8c711862c507f070c2b9a6abea8daf4378		 pdf-font-stream PDF embedded font (sfnt) at offset 0xBABD 4324 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.