Malicious PDF — malware analysis report

Static analysis result for SHA-256 911a5dcc4164a9b3…

MALICIOUS

PDF

40.9 KB Created: 2020-09-08 00:41:28 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: a6d6d9fadba8fd8b9612fa2de16a0e7c SHA-1: 5dffc881a3c08aeca8233a527ea1c4cd7d332e5d SHA-256: 911a5dcc4164a9b3c9a7c674cee3362aedda5c70e95892a1efc1e48681cc278f
150 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF contains a critical heuristic firing for a malicious redirector link, which is also present in the document body. The link leads to a URL associated with known malicious infrastructure. The presence of numerous other links, many pointing to Shopify, suggests a link farm or SEO poisoning tactic to obscure the malicious destination. The ML classifier also strongly flagged this PDF as malicious.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.club/pify?keyword=reforme+bourse+etudiant+2018
    • https://cdn.shopify.com/s/files/1/0431/0342/0570/files/anthem_blue_cross_medicare_prior_authorization_form.pdf
    • https://cdn.shopify.com/s/files/1/0431/6508/9949/files/41856359204.pdf
    • https://cdn.shopify.com/s/files/1/0435/5896/1320/files/basal_body_temperature_bbt_chart.pdf
    • https://cdn.shopify.com/s/files/1/0433/8850/2174/files/45313534342.pdf
    • https://cdn.shopify.com/s/files/1/0433/6323/8056/files/22571336241.pdf
    • https://cdn.shopify.com/s/files/1/0431/3631/9645/files/roxololelo.pdf
    • https://cdn.shopify.com/s/files/1/0429/2149/2643/files/button_beep_sound.pdf
    • https://cdn.shopify.com/s/files/1/0433/7929/4358/files/93078603288.pdf
    • https://static.usrfiles.com/ugd/c1c462_d2349af8f30241ec96d3ff440ead9c52.pdf
    • https://static.usrfiles.com/ugd/ee6770_3d27da977f0548afad8c107b9a698ed0.pdf
    • https://static.usrfiles.com/ugd/c33cdb_c9552150374f4ef48b7bdbba53d59531.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00005ceb.bin
e6c8c4430e00629ed1ff99a7a53b3dad25a4bd06e61703270c38c7197f83126a		 pdf-font-stream PDF embedded font (sfnt) at offset 0x5CEB 5688 bytes
font_01_sfnt_off00007032.bin
13caf1a8e91ec69c926845c9d6e882b9f84abaad4bf6ba5f400b7c39fa0435c2		 pdf-font-stream PDF embedded font (sfnt) at offset 0x7032 11952 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.