Malicious PDF — malware analysis report

Static analysis result for SHA-256 a55e657772a9f0a8…

MALICIOUS

PDF

65.9 KB Created: 2020-08-01 05:36:56 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: b93ae509578b84cc2df59542d2abbc1d SHA-1: d533f288e61e7c740f1916ae61e579c018b15279 SHA-256: a55e657772a9f0a8ac5bd677a6226c7c91fb6f3652a0d42801fc908143d2c9fb
150 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF file contains a large number of embedded links, with one specifically pointing to a known malicious redirector. This suggests the document's primary purpose is to lure users to malicious sites. The ML classifier also strongly indicated maliciousness. No scripts were extracted, but the link farm and redirector heuristic are sufficient to determine the attack pattern.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.ru/pify?keyword=jquery+on+radio+change
    • http://files.savannahconcretecontractors.com/uploads/1/3/1/4/131453894/6782364.pdf
    • http://files.silveressencefloatingspa.com/uploads/1/3/1/3/131379343/6993498.pdf
    • http://files.nineravensstudio.com/uploads/1/3/0/8/130873781/5737509.pdf
    • http://files.beckeras.no/uploads/1/3/1/1/131163859/dibawafitexo_gujufewiz_merevevi_xujukubigi.pdf
    • http://files.trillastable.com/uploads/1/3/2/6/132680784/vovulexozobaw-putenu-tufarerel.pdf
    • https://cdn.shopify.com/s/files/1/0434/7455/0949/files/sakufetikezarefabuwipoteg.pdf
    • https://cdn.shopify.com/s/files/1/0431/7315/0869/files/hillsborough_county_schools_report_cards.pdf
    • https://cdn.shopify.com/s/files/1/0432/4930/3720/files/83196651737.pdf
    • https://cdn.shopify.com/s/files/1/0432/4953/3088/files/5288326152.pdf
    • https://cdn.shopify.com/s/files/1/0428/9835/8432/files/duwaxufezemurogagur.pdf
    • https://cdn.shopify.com/s/files/1/0437/7955/5486/files/42596233951.pdf
    • https://cdn.shopify.com/s/files/1/0433/8047/4014/files/suwenudagun.pdf
    • https://cdn.shopify.com/s/files/1/0430/5915/1009/files/kejalovutekumigazelujatin.pdf
    • https://cdn.shopify.com/s/files/1/0431/7646/0445/files/zisefepaneneg.pdf
    • https://cdn.shopify.com/s/files/1/0430/3031/5159/files/32678432512.pdf
    • https://cdn.shopify.com/s/files/1/0428/9812/9062/files/sogubuwejorunevabaru.pdf
    • https://cdn.shopify.com/s/files/1/0431/2412/9952/files/sowirikidetelixub.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 6

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00006874.bin
6a89fe47d72759a2bc28d02a2ceea3cae774c48e57b50081499908179fb30c71		 pdf-font-stream PDF embedded font (sfnt) at offset 0x6874 7252 bytes
font_01_sfnt_off000080e3.bin
2a1f59e6e361721d2581ad70e7d342616f959f1a0dcaea20ceef2cd43040c81f		 pdf-font-stream PDF embedded font (sfnt) at offset 0x80E3 5012 bytes
font_02_sfnt_off000091cf.bin
bb44f9e0888cf129cf33b9df11e2ad30047d5ca80bd870f2b5398cabdc3c9180		 pdf-font-stream PDF embedded font (sfnt) at offset 0x91CF 5300 bytes
font_03_sfnt_off0000a4bd.bin
74435b782032a09f729511837f84edd5d3fc23d17d5c5725c537909ff58e489e		 pdf-font-stream PDF embedded font (sfnt) at offset 0xA4BD 14980 bytes
font_04_sfnt_off0000d435.bin
83bef66c6561b95eb5a2b1d1e7e397f6314a1592f594bbe4b43077e8fac9c90d		 pdf-font-stream PDF embedded font (sfnt) at offset 0xD435 16900 bytes
font_05_sfnt_off0000eb8a.bin
d1f4a20f0e35a0564be54678b929bb8c711862c507f070c2b9a6abea8daf4378		 pdf-font-stream PDF embedded font (sfnt) at offset 0xEB8A 4324 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.