Malicious PDF — malware analysis report

Static analysis result for SHA-256 9c1082e03246e6f6…

MALICIOUS

PDF

44.6 KB Created: 2020-09-17 13:43:15 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: aeeaae8fe37e591f5b60d0491db68a74 SHA-1: 12c9ab4703a774ce6c65b4ec9e9e7af3fef1758a SHA-256: 9c1082e03246e6f6171f2ffb25ff8e0fb1ecd66b9dda6bc9847ac8c1d6a36abc
150 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF contains multiple embedded links, with one identified as a malicious redirector. The document body, though heavily obfuscated, contains a URL that matches the malicious redirector. The presence of a large number of links, many pointing to external PDFs, suggests a link farm or SEO poisoning tactic to increase visibility and clicks. The ML classifier also strongly indicated maliciousness.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.link/wix?keyword=crayfish+internal+anatomy+functions
    • http://files.liberalcoalition.com/uploads/1/3/0/8/130813692/zetikeni_vokoku.pdf
    • http://files.tastethe4thsense.com/uploads/1/3/1/4/131408798/3f03fb1.pdf
    • https://610ba7ed-0e35-414e-9f3e-b09cef9c9e2a.filesusr.com/ugd/9d66c7_c7c8091b3df04901aa499e2188fc978b.pdf?index=true
    • https://a69c46a7-5cb0-4a80-a30b-f65fe0fdf743.filesusr.com/ugd/3d7af5_22c48ae024824b1fb0e706f329dcdef3.pdf?index=true
    • https://0044f6a1-319c-45a6-a068-4a2246c77731.filesusr.com/ugd/b73feb_6f2bb14602fb42f8beda07a8c2b9e32a.pdf?index=true
    • https://be35ef8f-af4a-458e-a884-d12a51427fea.filesusr.com/ugd/f55bec_6b73db869b4249b19ba8b6531d1ca0c0.pdf?index=true
    • https://55e62cc8-ede4-455f-89ab-23d5f1f7853d.filesusr.com/ugd/a4e402_924f40da6894470d8a3c435fafe833cb.pdf?index=true
    • https://b422303c-330d-45e5-ae08-bd666b35c880.filesusr.com/ugd/90661f_1bbd906f97c4480686c888c7ffdc5025.pdf?index=true
    • https://21817981-e8d1-44f9-a0b6-e1edc6644474.filesusr.com/ugd/b8c837_ec1de70028b540e689ddf3a63c5c79ae.pdf?index=true
    • https://cdn.shopify.com/s/files/1/0429/6006/0567/files/72996130495.pdf
    • https://cdn.shopify.com/s/files/1/0440/7567/9896/files/samsung_ml_2525w_manual.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000071d9.bin
7c204d810c2f6a635415480ee5f806d9e7074c3dce69934f5654221c4c6418ad		 pdf-font-stream PDF embedded font (sfnt) at offset 0x71D9 5128 bytes
font_01_sfnt_off0000832c.bin
1a13f018755aa54fa72a8ba9907a60c7a111e3b8eaf917905be4975654bb752e		 pdf-font-stream PDF embedded font (sfnt) at offset 0x832C 10080 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.