Malicious PDF — malware analysis report

Static analysis result for SHA-256 a7a9ac01aa698050…

MALICIOUS

PDF

42.3 KB Created: 2020-09-11 13:32:36 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 0291ae248e6ab33433189077fefa3dcc SHA-1: 5182921b42dcd7ad48777010cb7efdaee5c10c8f SHA-256: a7a9ac01aa6980502e23db55004395f7f850200907366f9a3f3bf37029b26394
150 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF contains a significant number of embedded links, with one specifically pointing to a known malicious redirector. The document body, though heavily obfuscated, contains text related to a McDonald's menu and a URL that appears to be part of the lure. The heuristic firings confirm the presence of malicious redirector links and a link farm, indicating a strong intent to direct users to harmful content.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.club/pify?keyword=mcdonald%2527+s+menu++south+africa
    • http://mokoma.kirkreview.com/uploads/1/3/1/6/131606490/0a0f3edca128.pdf
    • http://zofinovob.mtalto.com/uploads/1/3/1/6/131606140/959c7f37138885.pdf
    • http://files.rabunlakestrading.com/uploads/1/3/0/7/130775518/9a5e25f9.pdf
    • http://files.pamelaquillin.com/uploads/1/3/0/7/130739024/e1cdca80a22.pdf
    • http://files.brigitmccallum.com/uploads/1/3/1/8/131856476/2710047.pdf
    • http://pibejuvam.step-by-stepsurgery.com/uploads/1/3/1/8/131859527/3421813.pdf
    • http://guzerivo.fairoaksproducts.com/uploads/1/3/0/7/130776031/1ba288434.pdf
    • https://static.usrfiles.com/ugd/8d0191_e1ada63de56f49a0b1e2152ff595f9fe.pdf
    • https://static.usrfiles.com/ugd/eb6612_54b88b64839d44aeb6cecea1c4d93229.pdf
    • https://static.usrfiles.com/ugd/76b6de_b66e9e6c84eb4438b142f00d3224d237.pdf
    • https://static.usrfiles.com/ugd/6f9b04_2e09561f1910412aa84d4480b0de3c1a.pdf
    • https://static.usrfiles.com/ugd/e80f4c_8903efa4de854486a441b14b576f2f8e.pdf
    • https://cdn.shopify.com/s/files/1/0431/5525/9560/files/mateximizejeza.pdf
    • https://cdn.shopify.com/s/files/1/0458/0799/2998/files/carnival_hub_app_s.pdf
    • https://cdn.shopify.com/s/files/1/0431/5516/1252/files/73022727339.pdf
    • https://cdn.shopify.com/s/files/1/0429/4973/8650/files/english_grammar_worksheets_for_class_4_cbse.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000670d.bin
640c4335d0708f091d07d35e42bce250029d78d5985150efcdb8190002b4cf2e		 pdf-font-stream PDF embedded font (sfnt) at offset 0x670D 5300 bytes
font_01_sfnt_off000078fc.bin
557acbdea92cc1cb4c05dc2943001c00253d32f8d356ddaef031bfaf73adaa4c		 pdf-font-stream PDF embedded font (sfnt) at offset 0x78FC 10300 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.