Malicious PDF — malware analysis report

Static analysis result for SHA-256 9fcd27364f5e8637…

MALICIOUS

PDF

68.5 KB Created: 2020-08-30 16:22:29 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: a99c00a9e2f46c45641f389c378fabd8 SHA-1: df6c736db54144f4faf0598e393b782ca744a12e SHA-256: 9fcd27364f5e8637c9f6be41a9c406516a6338bbb38b60bda56d525bac4a8f51
150 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF file contains embedded links that point to a known malicious redirector. The ML classifier strongly indicates maliciousness. The document body, though heavily obfuscated, contains a URL that is also flagged as a malicious redirector. This suggests the document's primary purpose is to redirect the user to malicious infrastructure.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.ru/wix?keyword=management+process+organizational+be
    • https://cdn.shopify.com/s/files/1/0438/2821/5968/files/probability_mass_function_cdf.pdf
    • https://cdn.shopify.com/s/files/1/0432/7732/0352/files/26809328603.pdf
    • https://cdn.shopify.com/s/files/1/0440/8039/8486/files/peladadamagomutapixun.pdf
    • https://cdn.shopify.com/s/files/1/0429/0668/1497/files/adventure_cyclist_magazine.pdf
    • https://cdn.shopify.com/s/files/1/0438/4319/0944/files/sistem_reproduksi_pada_manusia.pdf
    • https://cdn.shopify.com/s/files/1/0430/0197/0837/files/meditech_user_guide.pdf
    • https://cdn.shopify.com/s/files/1/0428/2312/3100/files/tubovipasenalunopajalunul.pdf
    • https://cdn.shopify.com/s/files/1/0467/5934/6339/files/kejosunumude.pdf
    • https://cdn.shopify.com/s/files/1/0430/8392/3609/files/cisco_ccna_download.pdf
    • https://cdn.shopify.com/s/files/1/0446/9565/0457/files/vumeza.pdf
    • https://cdn.shopify.com/s/files/1/0430/1278/4277/files/gevel.pdf
    • https://cdn.shopify.com/s/files/1/0440/4245/3157/files/wozozosa.pdf
    • https://cdn.shopify.com/s/files/1/0432/3295/2477/files/autonics_tk4s-_14rn_manual.pdf
    • https://cdn.shopify.com/s/files/1/0437/5419/3047/files/vebev.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000ce09.bin
6cb412c5a14df5fbb1dbd0482f624c8abdd4c7ec4ba3827568a7b9cda8393ceb		 pdf-font-stream PDF embedded font (sfnt) at offset 0xCE09 5448 bytes
font_01_sfnt_off0000e085.bin
8cf8a4d471e01c262d83eafbdcc2086dd4e3f9b475ff12c76495c12dd075bd38		 pdf-font-stream PDF embedded font (sfnt) at offset 0xE085 10712 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.