Malicious PDF — malware analysis report

Static analysis result for SHA-256 9116deed6d0063a4…

MALICIOUS

PDF

47.5 KB Created: 2020-08-11 20:07:21 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: c1ae825bde7120c7a25081a66d1ddc5b SHA-1: 91e018c469a50c01b87a5d236bb9f18fb86d3dd7 SHA-256: 9116deed6d0063a4149fb8cc2b9e3d8ba08bcf29e5f039eebaa946cd26adedd3
150 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link T1059.001 PowerShell

The PDF contains multiple embedded URLs, with a critical heuristic firing indicating a link to known malicious redirector infrastructure. The document body, though heavily obfuscated, contains a URL that matches the malicious redirector. The presence of numerous external PDF links suggests an attempt at SEO poisoning to drive traffic to malicious sites. No scripts were extracted from this sample.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.ru/pify?keyword=tujuan+budaya+organisasi+pdf
    • http://rawazola.fulbrightpta.com/uploads/1/3/0/7/130739826/fidobokunag_vekidat_xemon.pdf
    • http://files.americanreferralconnection.com/uploads/1/3/1/0/131070374/vavenidajuvofam.pdf
    • http://files.turningpointclaystudio.com/uploads/1/3/1/4/131453674/3830f.pdf
    • http://files.conniefay.com/uploads/1/3/1/3/131380934/78ea73fce257.pdf
    • https://cdn.shopify.com/s/files/1/0436/9596/4328/files/tutorial_kali_linux_bahasa_indonesia.pdf
    • https://cdn.shopify.com/s/files/1/0427/5326/1724/files/funoxirolemikojuzokipob.pdf
    • https://cdn.shopify.com/s/files/1/0430/9565/4554/files/wunezifibetus.pdf
    • https://cdn.shopify.com/s/files/1/0430/6970/2306/files/39662002219.pdf
    • https://cdn.shopify.com/s/files/1/0433/5425/9606/files/tagiwasakedaxarixeji.pdf
    • https://cdn.shopify.com/s/files/1/0434/5135/1200/files/34428328385.pdf
    • https://cdn.shopify.com/s/files/1/0428/9835/8432/files/pelezegagujagemubejapo.pdf
    • https://cdn.shopify.com/s/files/1/0430/7851/6885/files/69642035839.pdf
    • https://cdn.shopify.com/s/files/1/0437/8486/3893/files/3927406678.pdf
    • https://cdn.shopify.com/s/files/1/0428/5179/5107/files/47961203520.pdf
    • https://cdn.shopify.com/s/files/1/0450/1107/5222/files/78630873420.pdf
    • https://cdn.shopify.com/s/files/1/0430/6056/0021/files/gebunapewe.pdf
    • https://cdn.shopify.com/s/files/1/0427/9477/8791/files/82205744224.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00007bb7.bin
60aa6981969de133faf7823403b7c09a4d8f419b07b483e4bf898eab7c9d6ebe		 pdf-font-stream PDF embedded font (sfnt) at offset 0x7BB7 5444 bytes
font_01_sfnt_off00008e52.bin
e356ca61f41ebdc1d518b6dd54696059bebaf12976dfa4a9eaf2a1e939b7ca7c		 pdf-font-stream PDF embedded font (sfnt) at offset 0x8E52 10000 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.