Malicious PDF — malware analysis report

Static analysis result for SHA-256 92d9625760d572d5…

MALICIOUS

PDF

44.9 KB Created: 2020-08-31 04:50:44 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: a3566d43ff7dfe00691983aee45e8777 SHA-1: 5b840d3d05849c64ec37e44a9cbb96eee364f689 SHA-256: 92d9625760d572d53f199d8ebaf1a55f2fe029f3a37d557df2d51e9901ecb4b7
150 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF file contains a link that redirects to a known malicious domain, identified by the PDF_MALICIOUS_REDIRECTOR_LINK heuristic. The document body, though partially corrupted, contains text related to 'Epson 645 driver', suggesting a lure to trick users into downloading potentially malicious software. The ML classifier also strongly flagged this PDF as malicious.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.cc/wix?keyword=epson+645+driver
    • https://cdn.shopify.com/s/files/1/0439/1154/4987/files/chacun_sa_route_partition.pdf
    • https://cdn.shopify.com/s/files/1/0427/9799/0055/files/33373319882.pdf
    • https://cdn.shopify.com/s/files/1/0462/2001/7818/files/appium_1._7._1_for_mac.pdf
    • https://cdn.shopify.com/s/files/1/0433/5930/5880/files/melissa_king_miss_delaware.pdf
    • https://static.usrfiles.com/ugd/bfbc46_8b16b457a73c4313b3dd3d07d278a2cd.pdf
    • https://static.usrfiles.com/ugd/6da380_1e5e146019be43cd84b26a0a1d09d456.pdf
    • https://cdn.shopify.com/s/files/1/0436/0346/0259/files/13871288138.pdf
    • https://cdn.shopify.com/s/files/1/0430/7746/8327/files/cubs_2020_schedule.pdf
    • https://cdn.shopify.com/s/files/1/0429/0134/0319/files/xikumel.pdf
    • https://cdn.shopify.com/s/files/1/0429/4931/2666/files/61408915943.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00005c47.bin
8a9a866a89c94cd912ba717c10b6dea10b342b45210dac797bebcdda22350ffa		 pdf-font-stream PDF embedded font (sfnt) at offset 0x5C47 5096 bytes
font_01_sfnt_off00006db6.bin
de3d5003068f880a1e7f40762baa2215e65ec135d02e0dac7af311af8ea3016d		 pdf-font-stream PDF embedded font (sfnt) at offset 0x6DB6 10560 bytes
font_02_sfnt_off0000920f.bin
aa1464b36b52ac156dd3ea04bc30a94b8376eaa6838293fad627926ea8981a5c		 pdf-font-stream PDF embedded font (sfnt) at offset 0x920F 16144 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.