Malicious PDF — malware analysis report

Static analysis result for SHA-256 95f1d71254443ee4…

MALICIOUS

PDF

42.1 KB Created: 2020-08-24 02:54:49 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 01bd29ded163e3e58e7569e2dd6cb8da SHA-1: 61ec0e75d27d8c2df586029c1aa345dd748083b5 SHA-256: 95f1d71254443ee4ca4a3514ac3021e3a6c44532554eb8c698ca8d00fefb2fde
152 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF contains a link to a known malicious redirector, disguised as a lure for free software presets. The heuristic PDF_MALICIOUS_REDIRECTOR_LINK directly indicates this malicious intent. The document body, though heavily corrupted, contains fragments of the lure text and the malicious URL. The presence of numerous other PDF links, as flagged by PDF_SEO_LINK_FARM, suggests a link farm used for SEO poisoning or distributing malicious content.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.cc/pify?keyword=adobe+photoshop+cc+2019+presets+free
    • http://files.metrogovernance.com/uploads/1/3/1/6/131606454/3e4f3e09d5cb9.pdf
    • http://files.livetosparkleblingboutique.com/uploads/1/3/0/7/130739444/vukeva.pdf
    • http://kisipikiw.cpanta.com/uploads/1/3/0/7/130739919/kunuzug.pdf
    • http://rusenexo.torratymakeup.com/uploads/1/3/1/4/131483371/duwilu_bideburoxabej_xizawumideda.pdf
    • http://files.convictionsolutions.com/uploads/1/3/1/8/131871674/rotovuzixaduwo.pdf
    • https://cdn.shopify.com/s/files/1/0431/3484/5079/files/27012920060.pdf
    • https://cdn.shopify.com/s/files/1/0440/0496/6565/files/kapuzokazabulabesefir.pdf
    • https://cdn.shopify.com/s/files/1/0449/9360/9896/files/95334090439.pdf
    • https://cdn.shopify.com/s/files/1/0435/0178/1156/files/santa_banta_wall_paper.pdf
    • https://cdn.shopify.com/s/files/1/0430/9444/2133/files/fejedebimepij.pdf
    • https://cdn.shopify.com/s/files/1/0438/9994/5112/files/bisphenol_a_toxicity.pdf
    • https://cdn.shopify.com/s/files/1/0431/9536/7585/files/viper_remote_start_manual.pdf
    • https://cdn.shopify.com/s/files/1/0437/1018/5637/files/spring_boot_tutorial_point.pdf
    • https://cdn.shopify.com/s/files/1/0431/1823/1709/files/97387099244.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000661c.bin
22ecead5929325a59c7dec921fd8aca39b7b8a880f3325e38c5153a93f3956b7		 pdf-font-stream PDF embedded font (sfnt) at offset 0x661C 5612 bytes
font_01_sfnt_off00007936.bin
ec8b0008073d4e4009d6ab19ea84e823fc0911f3d8ecbc624a18a56b5092f51f		 pdf-font-stream PDF embedded font (sfnt) at offset 0x7936 10000 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.