Malicious PDF — malware analysis report

Static analysis result for SHA-256 b3d1f38dfc54a9a1…

MALICIOUS

PDF

43.0 KB Created: 2020-09-28 17:02:17 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 00e9d0998fbf33ce7734a55da719fe24 SHA-1: 7527ec69d55bf5602e89c1488da773c651583548 SHA-256: b3d1f38dfc54a9a12b12fb5a0535a5f23fbd0b6b184b34d66f6cd5cd53d1364d
150 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF document exhibits characteristics of a link farm, containing numerous external links, with a primary URL pointing to known malicious redirector infrastructure. The ML classifier strongly supports a malicious classification. The document body, though partially corrupted, contains the suspicious URL and appears to be a lure for a calendar-related search term, likely to trick users into clicking the malicious link.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://gettraff.ru/mozel?keyword=calendrier+annuel+2019+%25C3%25A0+imprimer+gratuit+pdf
    • https://site-1036941.mozfiles.com/files/1036941/mapuwovefigepedapu.pdf
    • https://site-1036840.mozfiles.com/files/1036840/faxomojamilenulebizo.pdf
    • https://site-1036869.mozfiles.com/files/1036869/7646687289.pdf
    • https://site-1036767.mozfiles.com/files/1036767/fekaregoxidalu.pdf
    • http://files.westmontrotaryclub.org/uploads/1/3/2/7/132740291/98806dbeb6d.pdf
    • http://penigemit.glenmccuneart.com/uploads/1/3/1/3/131398345/9306420.pdf
    • http://bakem.gainesvilleinsurancecoverage.com/uploads/1/3/1/4/131437089/6681983.pdf
    • https://site-1036884.mozfiles.com/files/1036884/58346482458.pdf
    • https://site-1036939.mozfiles.com/files/1036939/88715954448.pdf
    • https://site-1036754.mozfiles.com/files/1036754/20536871373.pdf
    • https://site-1036665.mozfiles.com/files/1036665/ronazepozatu.pdf
    • https://cdn.shopify.com/s/files/1/0435/9690/6659/files/25963552526.pdf
    • https://cdn.shopify.com/s/files/1/0432/2181/1364/files/where_s_my_money_brian.pdf
    • https://cdn.shopify.com/s/files/1/0432/2036/9576/files/50307323040.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000065d6.bin
c70d09748f19c188b15acca9c4f4fe66d2bba6779aa2496da4f2446de7254fa1		 pdf-font-stream PDF embedded font (sfnt) at offset 0x65D6 5804 bytes
font_01_sfnt_off000078f4.bin
ac7dfe2db7b8e332f58b008c26b2db2af8c3cfe5b3724e8e3dbea6f510b4499f		 pdf-font-stream PDF embedded font (sfnt) at offset 0x78F4 11460 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.