Malicious PDF — malware analysis report

Static analysis result for SHA-256 b778cc8904d986e9…

MALICIOUS

PDF

62.4 KB Created: 2020-08-31 02:20:21 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 03d8fd4863c657b8ad2e8968140d3ec7 SHA-1: c6e634fd93b54d72e05cac53549421a5ea527133 SHA-256: b778cc8904d986e9c68d0708f43cd5c09b9c53b701fe7f80b50c58de86dba2ce
150 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF document contains a malicious redirector link disguised as a movie streaming page. It also features a large number of external PDF links, many hosted on Shopify, likely for SEO manipulation or to obscure the final malicious destination. The ML classifier strongly indicated maliciousness, and the embedded URL points to a known malicious redirector.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9999

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.cc/wix?keyword=tres+veces+t%25C3%25BA+pel%25C3%25ADcula+completa+en+espa%25C3%25B1ol+latino+online+gratis+2018
    • https://cdn.shopify.com/s/files/1/0432/3121/5780/files/japji_sahib_english.pdf
    • https://cdn.shopify.com/s/files/1/0433/0687/7080/files/pajotoliwafugesekediriw.pdf
    • https://cdn.shopify.com/s/files/1/0438/3087/0173/files/26996849628.pdf
    • https://cdn.shopify.com/s/files/1/0432/1217/7563/files/70194817552.pdf
    • https://cdn.shopify.com/s/files/1/0454/7464/4120/files/robotica_para_nios_de_primaria.pdf
    • https://static.usrfiles.com/ugd/e3c460_35f9d3b5f5984b9986c69ae059f79eb3.pdf
    • https://static.usrfiles.com/ugd/63d3ad_ace778ea21524c61900ba02d88e28fe5.pdf
    • https://static.usrfiles.com/ugd/4b68be_dfd2e50e07ab452884bf90c69092c691.pdf
    • https://static.usrfiles.com/ugd/b8c837_26b58eef2d594002986b9e92037c8a4b.pdf
    • https://static.usrfiles.com/ugd/b8c837_f3b86c16dfe740c0a94601885d5d65a7.pdf
    • https://static.usrfiles.com/ugd/b8c837_498797f69b75420b9030a21ffcf375ea.pdf
    • https://static.usrfiles.com/ugd/a6e5e9_2b81aeb69eca46dabaa65173f719b14c.pdf
    • https://static.usrfiles.com/ugd/ae059d_d823e5e0fa704fb99addb2d4fa5c3449.pdf
    • https://static.usrfiles.com/ugd/b8c837_c59f6c0eb37742cda4586de8e5ae4a8a.pdf
    • https://static.usrfiles.com/ugd/f55bec_00da9d83f098442fb5f708b9299ca45e.pdf
    • https://cdn.shopify.com/s/files/1/0437/1503/5291/files/nagoledirutejutudozaw.pdf
    • https://cdn.shopify.com/s/files/1/0435/1836/1755/files/53718163903.pdf
    • https://cdn.shopify.com/s/files/1/0434/6331/1513/files/43945509382.pdf
    • https://cdn.shopify.com/s/files/1/0428/1267/0111/files/birevojoxujimal.pdf
    • https://cdn.shopify.com/s/files/1/0428/0942/6079/files/45190797921.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 6

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00005f75.bin
f6d8f0c111dd8b7acea4675c0ab710aee574dfbde482b739aef85f37a17f2c37		 pdf-font-stream PDF embedded font (sfnt) at offset 0x5F75 6832 bytes
font_01_sfnt_off00007092.bin
553886228ef76fe131d7322ce41f2bc6bedec51f0c07864c2f49eca71280e4c6		 pdf-font-stream PDF embedded font (sfnt) at offset 0x7092 6060 bytes
font_02_sfnt_off00008574.bin
e02074ae166afe155d47b52313ac686deb03bb52d159ac2c8cfdae454e9fd81a		 pdf-font-stream PDF embedded font (sfnt) at offset 0x8574 6164 bytes
font_03_sfnt_off000099e1.bin
63975d493714adb1f25107eb990a1283182f0aa60e4c73a8f150a2674429c6f8		 pdf-font-stream PDF embedded font (sfnt) at offset 0x99E1 1640 bytes
font_04_sfnt_off0000a224.bin
fc5800e74a609f5e99abc2cb7605c7acac12ff73eebb6f6062cc4f2e5e8eeb34		 pdf-font-stream PDF embedded font (sfnt) at offset 0xA224 15000 bytes
font_05_sfnt_off0000d050.bin
d290716bad67eabd132e65b44130f88b6588498f3c69be2686e6ab9e02495626		 pdf-font-stream PDF embedded font (sfnt) at offset 0xD050 16944 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.