Malicious PDF — malware analysis report

Static analysis result for SHA-256 acb3f64fcf25e413…

MALICIOUS

PDF

41.9 KB Created: 2020-08-31 09:18:05 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 973240323431637bbca12fc1692048e4 SHA-1: e554e16f7add804b9dd4300e3c262134b21afc5d SHA-256: acb3f64fcf25e413fc0536c130f3025b11201068200c9fa409b8735293baa050
90 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF file contains a link that redirects to known malicious infrastructure, as indicated by the PDF_MALICIOUS_REDIRECTOR_LINK heuristic. The document body, though heavily obfuscated, appears to be a lure related to a 'John Deere 3130 workshop manual'. The ML classifier also strongly flagged this PDF as malicious. The primary IOC is the malicious redirector URL.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 2

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.club/wix?keyword=john+deere+3130+workshop+manual
    • https://static.usrfiles.com/ugd/bf650e_6aa37941f77a483e893aae3b8daeb53d.pdf
    • https://static.usrfiles.com/ugd/b8c837_a4c5a4c552b24ff7ade7d7a220749a44.pdf
    • https://static.usrfiles.com/ugd/23e9be_4e37490ff1ee4f93b7f7d39c63eb3cc5.pdf
    • https://static.usrfiles.com/ugd/105a8c_585fa36be4fe4574b642837801ff6e3a.pdf
    • https://cdn.shopify.com/s/files/1/0428/9835/8432/files/39738284996.pdf
    • https://cdn.shopify.com/s/files/1/0434/2156/5084/files/xinelopeg.pdf
    • https://cdn.shopify.com/s/files/1/0431/8589/7627/files/vk_publications_accountancy_class_12_solutions.pdf
    • https://cdn.shopify.com/s/files/1/0431/7387/1767/files/dll_fixer_crack.pdf
    • https://cdn.shopify.com/s/files/1/0430/4591/2727/files/kinuw.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00005f23.bin
f0803f3a5e32b205c4311e0b34d08ac3a73239cfb0c9a3b42f1d62f82cc33395		 pdf-font-stream PDF embedded font (sfnt) at offset 0x5F23 5700 bytes
font_01_sfnt_off0000726a.bin
0162a8979050f956ce79f36cd17f75a1a4e88b88033f4674b95c8a43f549ca80		 pdf-font-stream PDF embedded font (sfnt) at offset 0x726A 13160 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.