Malicious PDF — malware analysis report

Static analysis result for SHA-256 ace646d11a68bf45…

MALICIOUS

PDF

38.7 KB Created: 2020-08-30 04:51:53 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: b56517e4162da83517904d4f49ce7b4f SHA-1: 82c6cb6c94041fea944fda80a7a981588e0c0527 SHA-256: ace646d11a68bf45497dcdc30ddc0c7a90c045e84c1c26a58c862d14bf11a283
150 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF contains a malicious redirector link disguised as a download for 'Docker in action pdf'. The heuristic PDF_MALICIOUS_REDIRECTOR_LINK confirms this, and the ML classifier strongly indicates maliciousness. The document body, though heavily obfuscated, contains the malicious URL and a list of other PDF links, suggesting a link farm designed to drive traffic to malicious infrastructure.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.cc/wix?keyword=docker+in+action+pdf
    • https://static.usrfiles.com/ugd/b8c837_846b09febf96493084f20af08920a2be.pdf
    • https://static.usrfiles.com/ugd/b8c837_7471b1917eb94287b999ede0c3e7c742.pdf
    • https://static.usrfiles.com/ugd/b8c837_9d237b1638054691bbfc12eece92e935.pdf
    • https://static.usrfiles.com/ugd/a86d68_28cf7a7eaa874370b18d7e81161ff8af.pdf
    • https://static.usrfiles.com/ugd/b8c837_f034b80f0d474d84949620da31371891.pdf
    • https://cdn.shopify.com/s/files/1/0435/3415/5928/files/nys_notary_exam_study_guide_2016.pdf
    • https://cdn.shopify.com/s/files/1/0434/4817/2710/files/83971999738.pdf
    • https://cdn.shopify.com/s/files/1/0432/0608/2717/files/retazazuloserunu.pdf
    • https://cdn.shopify.com/s/files/1/0429/0379/7913/files/furapojovidipufutixomi.pdf
    • https://cdn.shopify.com/s/files/1/0436/2692/2146/files/6th_grade_math_vocabulary_worksheets.pdf
    • https://static.usrfiles.com/ugd/b8c837_8758fbd13a154e019d46c88081db4d8f.pdf
    • https://static.usrfiles.com/ugd/b8c837_de221f358af14cefb7bdd19a92485e94.pdf
    • https://static.usrfiles.com/ugd/b8c837_00b3841e60a445598df8d3c5c2635e84.pdf
    • https://static.usrfiles.com/ugd/91e123_2851e7f6c4bc449fbc4a9d0d57fcbb4f.pdf
    • https://static.usrfiles.com/ugd/b8c837_bf8204b084274036b0933a571710e5af.pdf
    • https://static.usrfiles.com/ugd/432b07_41c11f3420234414aa029f210e7317a2.pdf
    • https://static.usrfiles.com/ugd/b8c837_607fbfb1d5f645238b825f8f09e0339f.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00005bdf.bin
177da8f4dbb1027f8d87e376ec7287520603c21221175ffde54b9806d33fb741		 pdf-font-stream PDF embedded font (sfnt) at offset 0x5BDF 5000 bytes
font_01_sfnt_off00006cef.bin
817a629dfc5ed00c669fbb42fcb1c6dcada6c25281d37c0347e2d6fd73933b49		 pdf-font-stream PDF embedded font (sfnt) at offset 0x6CEF 9672 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.