Malicious PDF — malware analysis report

Static analysis result for SHA-256 b10391c73fb7da1c…

MALICIOUS

PDF

49.9 KB Created: 2020-08-06 23:42:06 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: a1182104cfa9b7cc8317dd164abf3e07 SHA-1: 498518ee4c410a5e7c083ab8c55cec47c47e270f SHA-256: b10391c73fb7da1c5e27fc475fb815647f5919cfc236321adcd992b05f4b4e42
150 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF contains a critical heuristic firing for a malicious redirector link, pointing to 'https://ttraff.cc/pify?keyword=anandpur+sahib+resolution+pdf'. Additionally, it exhibits characteristics of a PDF link farm, with numerous embedded URLs, many hosted on Shopify. The ML classifier also strongly flagged this PDF as malicious. The primary attack pattern involves luring the user to click on the malicious link, likely leading to further compromise.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.cc/pify?keyword=anandpur+sahib+resolution+pdf
    • http://files.stjhollandfaith.org/uploads/1/3/0/7/130740033/3637342.pdf
    • http://files.brickhousellamas.com/uploads/1/3/0/7/130739693/gexawenik_jozoboge_baberogezi.pdf
    • http://files.modernbarandhome.store/uploads/1/3/1/3/131380343/zosevarawa_towodoroxete.pdf
    • https://cdn.shopify.com/s/files/1/0431/7983/5547/files/90664011034.pdf
    • https://cdn.shopify.com/s/files/1/0432/5395/6758/files/68116193217.pdf
    • https://cdn.shopify.com/s/files/1/0430/6213/2897/files/bofekizunetazaru.pdf
    • https://cdn.shopify.com/s/files/1/0432/1650/2939/files/longboards_lees_summit.pdf
    • https://cdn.shopify.com/s/files/1/0432/6470/4662/files/webutu.pdf
    • https://cdn.shopify.com/s/files/1/0428/7420/8415/files/45017323777.pdf
    • https://cdn.shopify.com/s/files/1/0430/5338/3833/files/93028132149.pdf
    • https://cdn.shopify.com/s/files/1/0432/7863/1072/files/gulezusaxus.pdf
    • https://cdn.shopify.com/s/files/1/0435/9569/4239/files/96064360648.pdf
    • https://cdn.shopify.com/s/files/1/0431/9812/0096/files/40203992622.pdf
    • https://cdn.shopify.com/s/files/1/0428/1162/1543/files/kudeziroxosiluxaluze.pdf
    • https://cdn.shopify.com/s/files/1/0430/7006/2754/files/61144253038.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00008641.bin
ff402b87662413ded32d71d4dbea554c2c3e0ef206351b59bf64af2480313c7a		 pdf-font-stream PDF embedded font (sfnt) at offset 0x8641 5256 bytes
font_01_sfnt_off00009816.bin
23dcb63669c23e9283fbea9bd4a046188d56fb5ad1448122693523190600ad5d		 pdf-font-stream PDF embedded font (sfnt) at offset 0x9816 10264 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.