Malicious PDF — malware analysis report

Static analysis result for SHA-256 a47483913f302894…

MALICIOUS

PDF

39.8 KB Created: 2020-08-02 18:15:16 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: adbb320586c4461a1547521eef35ca43 SHA-1: 9f0faffc72d314434dac4a94e3f870ca5d546958 SHA-256: a47483913f302894d2f82ac19a8fc8b6087062317f227c03e1fc4ef603393b48
150 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF contains a mass of external links, with the primary link directing to a known malicious redirector. The document body, though heavily obfuscated, contains the target URL, suggesting a lure to a malicious site. The presence of numerous PDF links indicates a link farm strategy, likely for SEO poisoning or to distribute further malicious content.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.com/pify?keyword=aprilaire+700+manual
    • http://files.realwriting.org/uploads/1/3/1/4/131484133/4110134.pdf
    • http://xajefizo.bbqpete.com/uploads/1/3/2/3/132302872/timebele-fupaxogab-vibakef-sefadutubilofa.pdf
    • http://files.intuitivecoachingwithamy.com/uploads/1/3/1/8/131856039/gavevo-wifefuvamoru-fularewumokag-rudimad.pdf
    • http://files.philhamiltondesign.com/uploads/1/3/2/3/132302924/7796697.pdf
    • https://cdn.shopify.com/s/files/1/0434/7065/1558/files/55164150917.pdf
    • https://cdn.shopify.com/s/files/1/0431/8648/7455/files/nedope.pdf
    • https://cdn.shopify.com/s/files/1/0434/3165/7638/files/vadefe.pdf
    • https://cdn.shopify.com/s/files/1/0429/1313/6799/files/94130850023.pdf
    • https://cdn.shopify.com/s/files/1/0427/6856/4380/files/44212142934.pdf
    • https://cdn.shopify.com/s/files/1/0430/8759/3632/files/17091376300.pdf
    • https://cdn.shopify.com/s/files/1/0429/2280/3363/files/katokonefanilufaluzabuku.pdf
    • https://cdn.shopify.com/s/files/1/0433/0687/7080/files/puliwaxaj.pdf
    • https://cdn.shopify.com/s/files/1/0435/6728/4383/files/34498703551.pdf
    • https://cdn.shopify.com/s/files/1/0428/7820/6111/files/ziwaruwogumelurolafefe.pdf
    • https://cdn.shopify.com/s/files/1/0427/9291/1007/files/40352754902.pdf
    • https://cdn.shopify.com/s/files/1/0437/9181/0717/files/sepewixerekutofopapepulup.pdf
    • https://cdn.shopify.com/s/files/1/0436/1394/6018/files/81827261513.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00005d7b.bin
c8a0d5874b65a8e11670c670da36e50c5a89856eda9ce7257e238a6969138775		 pdf-font-stream PDF embedded font (sfnt) at offset 0x5D7B 4996 bytes
font_01_sfnt_off00006e68.bin
71297a3e4f4f7ebbd1eec6f1b6848c24f8fb52ed4026e96dcc66f56d8d33f47e		 pdf-font-stream PDF embedded font (sfnt) at offset 0x6E68 10508 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.