Malicious PDF — malware analysis report

Static analysis result for SHA-256 9bbf90ef8c649c79…

MALICIOUS

PDF

39.8 KB Created: 2020-09-04 23:02:43 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: d2aea926c0d89237ecd44632107c6bcc SHA-1: dd4e69f2d06c9b1885e6a25c2d5ac9a7541711b9 SHA-256: 9bbf90ef8c649c79558c1c79d8b72293bf6ada1876eea37941d2690b9e1823f9
92 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF contains a critical heuristic firing indicating a malicious redirector link. The document body, though heavily obfuscated, contains text referencing 'Sequoia capital pitch deck pdf' and the malicious URL. This suggests a phishing attempt where the user is tricked into clicking the link, likely leading to a further malicious download or exploit.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.me/wix?keyword=sequoia+capital+pitch+deck+pdf
    • https://cdn.shopify.com/s/files/1/0462/2893/0709/files/14695207415.pdf
    • https://cdn.shopify.com/s/files/1/0434/0151/1068/files/35423188413.pdf
    • https://cdn.shopify.com/s/files/1/0438/6367/0939/files/96767419140.pdf
    • https://cdn.shopify.com/s/files/1/0437/3364/7525/files/calendario_serie_a_completo.pdf
    • https://cdn.shopify.com/s/files/1/0435/0181/3915/files/ccrn_renal_review.pdf
    • https://static.usrfiles.com/ugd/e4ee87_0eecb658602f45e29174dbcc56d386a2.pdf
    • https://static.usrfiles.com/ugd/b7082a_18e0773fb9a84a8b9a15bc28f36ca7a2.pdf
    • https://static.usrfiles.com/ugd/0ad6c7_e9207030710a4b6eb5e95bd7781c1b15.pdf
    • https://static.usrfiles.com/ugd/1849a1_e9134256fa99491fbcbe65f5e9a26ddb.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00005c93.bin
e4e516e2eb7655af0f895e2ed3ae9bb0714c7dfbfeb3af8ed146e675505096f0		 pdf-font-stream PDF embedded font (sfnt) at offset 0x5C93 5260 bytes
font_01_sfnt_off00006e7b.bin
1926410321b2eb664bd8e9bae4ff4acba0cfa142b941a3f7bcbb38115dbbe3fb		 pdf-font-stream PDF embedded font (sfnt) at offset 0x6E7B 10800 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.