Malicious PDF — malware analysis report

Static analysis result for SHA-256 94c894e05e16f9b8…

MALICIOUS

PDF

42.6 KB Created: 2020-08-09 10:53:05 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: f4509f18f5a79a5be116f69a2ec7ac43 SHA-1: e2c26149d48bf7d5bff2f542a611e52950ddc818 SHA-256: 94c894e05e16f9b8aa8350f5db7f62b3339a46778f746e5ad3d6da357cb9f145
152 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF contains a critical heuristic firing for a malicious redirector link, pointing to a URL designed to trick users into downloading software. The document body text, though heavily obfuscated, contains keywords related to downloading software and the malicious URL itself. The ML classifier also strongly flagged this PDF as malicious. The primary attack vector appears to be a social engineering lure disguised as a software download.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 4

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.cc/pify?keyword=adobe+pdf+reader+and+editor+for+windows+10+free+download
    • http://files.myranchoserrano.com/uploads/1/3/2/8/132814977/3173733.pdf
    • http://files.allisonloehr.com/uploads/1/3/2/8/132816066/8358aa.pdf
    • http://files.uuchurchofstockton.org/uploads/1/3/1/3/131383544/3310012.pdf
    • http://files.northsoundjuniorcheer.org/uploads/1/3/1/4/131453188/8681207.pdf
    • http://buxufex.kingfisher-strategy.com/uploads/1/3/0/8/130814328/niguwad.pdf
    • https://cdn.shopify.com/s/files/1/0427/6859/7158/files/psat_coordinator_manual.pdf
    • https://cdn.shopify.com/s/files/1/0427/8370/3206/files/hp_10_bii_manual.pdf
    • https://cdn.shopify.com/s/files/1/0428/9468/8412/files/80352079855.pdf
    • https://cdn.shopify.com/s/files/1/0428/9904/6553/files/ikea_catalogue_2020_egypt.pdf
    • https://cdn.shopify.com/s/files/1/0439/6217/1550/files/woniremumetixeg.pdf
    • https://cdn.shopify.com/s/files/1/0433/6861/1998/files/17938442688.pdf
    • https://cdn.shopify.com/s/files/1/0429/6572/9429/files/3323630494.pdf
    • https://cdn.shopify.com/s/files/1/0431/1498/7674/files/lightweight_reader_linux.pdf
    • https://cdn.shopify.com/s/files/1/0430/1049/0519/files/bronchiolitis_guidelines.pdf
    • https://cdn.shopify.com/s/files/1/0427/4854/3142/files/product_analyst_interview_questions_and_answers.pdf
    • https://cdn.shopify.com/s/files/1/0431/4441/3341/files/benuromixumilezoledukaf.pdf
    • https://cdn.shopify.com/s/files/1/0431/7695/1974/files/87693908848.pdf
    • https://cdn.shopify.com/s/files/1/0428/9835/8432/files/pekazojifedabefotekufof.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000681b.bin
3fd93a4af358d6d43d262598058aa626cbd54ae5a98b29483ec210500c66eee2		 pdf-font-stream PDF embedded font (sfnt) at offset 0x681B 5448 bytes
font_01_sfnt_off00007ac5.bin
9a4a2216f04c5d65e1880a3729fd33c017311ec68f0f7c82d2e582f1e7bc24b2		 pdf-font-stream PDF embedded font (sfnt) at offset 0x7AC5 9992 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.