Malicious PDF — malware analysis report

Static analysis result for SHA-256 911c26d59d4b678f…

MALICIOUS

PDF

37.7 KB Created: 2020-08-29 11:43:32 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 9c8cab8e8fa245477cdbaa51155463c5 SHA-1: 0982f7da0132577156c79e557961ba52e76c40f1 SHA-256: 911c26d59d4b678f6a794d7c5d49705fb71cfe35dab1f7b00035acc51ae35a19
150 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF file was flagged by multiple critical heuristics for containing malicious redirector links and a mass external PDF link farm. The document body, though heavily obfuscated, contains references to a 'cechya 0080 usb adapter' and includes the malicious URL. The primary malicious URL points to a known redirector, suggesting an attempt to lead users to a compromised or malicious site.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.ru/wix?keyword=cechya+0080+usb+adapter
    • https://cdn.shopify.com/s/files/1/0431/7049/6672/files/mulinewom.pdf
    • https://cdn.shopify.com/s/files/1/0437/9253/1617/files/cholesterol_guidelines_canada_2019.pdf
    • https://cdn.shopify.com/s/files/1/0437/3364/7525/files/zokogelogonopudibazexu.pdf
    • https://static.usrfiles.com/ugd/b8c837_a42bb6666747494786b15eb149dae19e.pdf
    • https://static.usrfiles.com/ugd/b8c837_ab263fd15120447dbafc7365514bc4bb.pdf
    • https://static.usrfiles.com/ugd/b8c837_ed0b716124984bd295055a03a17a085f.pdf
    • https://static.usrfiles.com/ugd/b8c837_dd7c2cbe24154071b1c4f85a204a4481.pdf
    • https://static.usrfiles.com/ugd/b8c837_f6ac113f8e6549f38de29ca44eaa6dad.pdf
    • https://static.usrfiles.com/ugd/2813e2_4a3d53dac7664c88b2b090180e9e58cf.pdf
    • https://cdn.shopify.com/s/files/1/0427/4146/5244/files/anandamath_in_bengali.pdf
    • https://cdn.shopify.com/s/files/1/0427/6020/8540/files/ligeditoraxuxanosamosun.pdf
    • https://cdn.shopify.com/s/files/1/0431/2052/5469/files/42888774241.pdf
    • https://cdn.shopify.com/s/files/1/0431/2757/0596/files/maharaja_agrasen_public_school_admission_form.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000052aa.bin
53f89e1ad7e2202de0ae9240fc205c7f4d0c0d4e2524eff571bba81769b386f8		 pdf-font-stream PDF embedded font (sfnt) at offset 0x52AA 5612 bytes
font_01_sfnt_off000065a5.bin
d8cb67d2f76f903e135a29068f0e71b32b784089946ec1817068c3860b833e3b		 pdf-font-stream PDF embedded font (sfnt) at offset 0x65A5 10248 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.