Malicious PDF — malware analysis report

Static analysis result for SHA-256 a92dc407c6b20f7c…

MALICIOUS

PDF

130.7 KB Created: 2020-08-19 16:20:01 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: afeef3b2061c536155d96e151c35fa42 SHA-1: 1a1de23f99971d8e24126294fe3f0c3c8ca60501 SHA-256: a92dc407c6b20f7c18fc83f2b3ea7eeecfe65bb4cc72af27795265fd5895bd99
150 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF contains a mass external link farm, with one critical link pointing to a known malicious redirector. The document body, though heavily obfuscated, contains the URL that triggers the malicious redirector. This suggests the PDF is designed to lead users to malicious infrastructure, likely for phishing or malware delivery.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.cc/pify?keyword=wow+auctionator+addon+guide
    • http://tekiz.johnlcbarnes.com/uploads/1/3/1/4/131407552/taxib.pdf
    • http://files.nowspajuneau.com/uploads/1/3/0/8/130874350/giboxogaxez.pdf
    • http://files.dcsnetworks.co/uploads/1/3/1/8/131856456/tetotexiwogum_vopij_bufot_wotoxoligaja.pdf
    • https://cdn.shopify.com/s/files/1/0431/0102/8503/files/different_types_of_bolts.pdf
    • https://cdn.shopify.com/s/files/1/0439/0325/4696/files/fazosiwevi.pdf
    • https://cdn.shopify.com/s/files/1/0429/6422/2101/files/saints_row_4_music.pdf
    • https://cdn.shopify.com/s/files/1/0427/6341/9814/files/17598506551.pdf
    • https://cdn.shopify.com/s/files/1/0432/4225/8587/files/allergy_definition.pdf
    • https://cdn.shopify.com/s/files/1/0433/0058/5636/files/terezotebonowopefinanatet.pdf
    • https://cdn.shopify.com/s/files/1/0432/5877/3662/files/26524071440.pdf
    • https://cdn.shopify.com/s/files/1/0432/2718/5311/files/zutoka.pdf
    • https://cdn.shopify.com/s/files/1/0431/5031/1579/files/digital_boarding_pass_app_for_android.pdf
    • https://cdn.shopify.com/s/files/1/0432/3940/7784/files/bugabuwerolodidanumov.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0001c74d.bin
6efbdc1c1c21df0832160c58d87a92b024fc34dd37756699012c587c491b44e3		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1C74D 5004 bytes
font_01_sfnt_off0001d86e.bin
c5df3acd647feb18ab20349fb60db32efa8304208d3c7f8ecab14f6027ea8e5f		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1D86E 10912 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.