Malicious PDF — malware analysis report

Static analysis result for SHA-256 a3d1a6b8e7ada539…

MALICIOUS

PDF

40.4 KB Created: 2020-09-18 12:23:01 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: e7e47e0cccace6708619aa1e53e05e69 SHA-1: 672fcd8714b31582d3dc5fb5ec014a9c3eb75fa0 SHA-256: a3d1a6b8e7ada539dc26e6c7e4bd20b612c32d62ff2ae6d6c2bea493461ef0b9
154 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF was flagged as malicious due to a critical heuristic identifying it as a redirector link to known malicious infrastructure. It also contains a large number of external PDF links, characteristic of a link farm. The primary malicious IOC is the redirector URL, which is likely used to lure victims to a phishing or malware site. No scripts were extracted, limiting further analysis of the execution chain.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 4

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.me/wix?keyword=the+chemical+level+of+organization+worksheet
    • https://cdn.shopify.com/s/files/1/0431/5014/7733/files/autosys_scheduling_tool.pdf
    • https://cdn.shopify.com/s/files/1/0436/2217/0787/files/nufesu.pdf
    • https://cdn.shopify.com/s/files/1/0437/2001/6024/files/free_android_games_sites.pdf
    • https://6ccdaaed-091e-4ee8-aa01-5a012a3f5ee6.filesusr.com/ugd/9d66c7_1f7afb8f48584d1993d4adb01c049217.pdf?index=true
    • https://d9cec5ed-ee61-4a4d-95c2-b135f2b6a321.filesusr.com/ugd/60933b_189a7c07c06c437783036e27a1639ea8.pdf?index=true
    • https://93a7bf07-f94d-4481-aa3b-247fab85d1d4.filesusr.com/ugd/2d1648_5ac35b119d2e476092094527cec86f76.pdf?index=true
    • https://cdn.shopify.com/s/files/1/0430/2825/0781/files/ejercicios_ingles_2_eso.pdf
    • https://cdn.shopify.com/s/files/1/0437/9626/7168/files/walkman_apk_download_for_android.pdf
    • https://cdn.shopify.com/s/files/1/0432/6119/8500/files/bejebopigizujibidax.pdf
    • https://cdn.shopify.com/s/files/1/0434/9542/4165/files/41297830300.pdf
    • https://1a56504a-5a3e-4bc4-945d-81cc494c69fc.filesusr.com/ugd/1479de_372bb2ae757c4d4a80cd0a55ec92df34.pdf?index=true
    • https://cce5d1d1-5499-4bfd-91f4-1c0c718331e5.filesusr.com/ugd/217b8a_e6142bd9c3fb4deaa9a90454a3165974.pdf?index=true
    • https://987594d5-d4d8-48d5-a5ec-397a3a685375.filesusr.com/ugd/ff3115_918a5b774f3848939f09ac0c79e701c3.pdf?index=true
    • https://3812216e-92c8-466c-9209-c2b40824e7c7.filesusr.com/ugd/1decf9_076f22e02fe042ab8b85fdebe43cde39.pdf?index=true
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00006119.bin
5bc44916acdd7632fcf2ed742a87b9f24650edb092f322864c659722c1cc2ccb		 pdf-font-stream PDF embedded font (sfnt) at offset 0x6119 5508 bytes
font_01_sfnt_off000073cf.bin
1dca2622577d77e788cc514ffbe13ee26a36f8f427727d408df86bb54b53f572		 pdf-font-stream PDF embedded font (sfnt) at offset 0x73CF 9568 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.