Malicious PDF — malware analysis report

Static analysis result for SHA-256 9a110ac00891f981…

MALICIOUS

PDF

43.8 KB Created: 2020-08-30 22:28:00 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: a79b0d0c8a1c492fbe26e4b75559495f SHA-1: 06aa12ea340cee4441e60f488c79bd237dabb911 SHA-256: 9a110ac00891f9816fcd5e1dfded96ed8f76c3b1157f0bb1b65874e4f5562b7a
150 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF file contains a link that redirects to a malicious domain, as indicated by the PDF_MALICIOUS_REDIRECTOR_LINK heuristic. The document body, though heavily obfuscated, contains text related to a '2005 honda odyssey repair manual pdf free' and the malicious URL. This suggests a social engineering attack aiming to trick users into visiting a compromised site, likely for further exploitation or credential harvesting.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.com/wix?keyword=2005+honda+odyssey+repair+manual+pdf+free
    • https://static.usrfiles.com/ugd/08fe48_7cd6bf134cb948e5894e1d77990a703d.pdf
    • https://static.usrfiles.com/ugd/b8c837_04d372d4222e41629291238f91e34fef.pdf
    • https://static.usrfiles.com/ugd/b8c837_ba8a1ac2bf444e3cbfaadd51892c3988.pdf
    • https://static.usrfiles.com/ugd/724fb5_f696f57167154d74bc5cd7d4b65eadb5.pdf
    • https://static.usrfiles.com/ugd/b8c837_5e3700100bf8468690f178499c8e90fc.pdf
    • https://static.usrfiles.com/ugd/c068f8_3df8bbb95f454bdc9be6416a38019b3a.pdf
    • https://static.usrfiles.com/ugd/8d57bd_c6883dfe686646fc920aee82227228aa.pdf
    • https://static.usrfiles.com/ugd/b8c837_c8a3b5f26b1c43e3b0c78f03e4a0e224.pdf
    • https://cdn.shopify.com/s/files/1/0435/4909/8148/files/48650133878.pdf
    • https://cdn.shopify.com/s/files/1/0439/2140/8168/files/adjektivdeklination_bungen_b2.pdf
    • https://cdn.shopify.com/s/files/1/0429/0553/4620/files/csgo_fps_command.pdf
    • https://cdn.shopify.com/s/files/1/0432/1663/4016/files/rorazaxotufipuveped.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • https://static.usrfiles.com/ugd/b8c837_c8a3b5f26b1c43e3b0c

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00006b79.bin
58757214a1bba140a5cb355ef0332413b17349d23c6f139704fd1a2818415716		 pdf-font-stream PDF embedded font (sfnt) at offset 0x6B79 5688 bytes
font_01_sfnt_off00007e99.bin
12484ae8dad7cc5f06e3840b0f3feea849b0c307116863f76bb722cedbe5af51		 pdf-font-stream PDF embedded font (sfnt) at offset 0x7E99 10376 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.