Malicious PDF — malware analysis report

Static analysis result for SHA-256 b7c1e98ba29959b3…

MALICIOUS

PDF

107.6 KB Created: 2020-07-10 18:25:02 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: b368c06c9ace8cd0574a6b46680207f7 SHA-1: bbf8839067da542e91ef9ba95b03c383d0562e2a SHA-256: b7c1e98ba29959b3f99d6042b7c478cd5c0a30353fb5f7191ea536ef238178d8
150 Risk Score

Malware Insights

MITRE ATT&CK
T1059.001 PowerShell

The PDF document contains numerous links to external PDF files, indicative of a link farm, and a critical redirector link to a known malicious domain. The document body, though heavily obfuscated, contains the malicious URL. This suggests the primary purpose is to redirect the user to malicious infrastructure, likely for further exploitation or phishing.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.ru/wb?keyword=introduction%20to%20management%20book%20pdf
    • http://files.farmacybotanical.com/uploads/1/3/2/3/132302973/xutitogesafa-lixoreriberexik-larowuwonubola.pdf
    • http://files.divinesoulenergy.com/uploads/1/3/0/9/130969819/d55ccdadbe3c.pdf
    • http://files.wcsarchery.org/uploads/1/3/2/6/132695489/bf8af.pdf
    • http://files.besttinyhouses.com/uploads/1/3/2/3/132302924/fozinosutixagox-bobumaz-jupifovofesiw.pdf
    • http://files.joelnadlerphd.com/uploads/1/3/0/7/130739120/sejavilitazinezusara.pdf
    • http://files.kevinzollman.com/uploads/1/3/1/3/131398000/e2822.pdf
    • http://files.csnobcs.org/uploads/1/3/1/4/131452806/c9c3257b.pdf
    • http://files.deannastrasse.com/uploads/1/3/0/8/130874305/mipipusa.pdf
    • http://files.ukahft.org/uploads/1/3/0/8/130814408/6352699.pdf
    • https://tuvepilew.files.wordpress.com/2020/07/67460367677.pdf
    • https://fawexofomo.files.wordpress.com/2020/07/kogipod.pdf
    • https://midapalafe.files.wordpress.com/2020/07/95365299673.pdf
    • https://nepowikuje.files.wordpress.com/2020/07/xudewep.pdf
    • https://cdn.shopify.com/s/files/1/0433/0687/7080/files/vofekofunore.pdf
    • https://cdn.shopify.com/s/files/1/0428/9835/8432/files/92161478626.pdf
    • https://cdn.shopify.com/s/files/1/0433/6310/6968/files/74793518180.pdf
    • https://cdn.shopify.com/s/files/1/0433/0687/7080/files/31670740491.pdf
    • https://cdn.shopify.com/s/files/1/0427/7937/7830/files/84167248861.pdf
    • https://cdn.shopify.com/s/files/1/0429/9925/1093/files/sowuneta.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00016ae4.bin
9242f2c737200d73d6a1cd86f81603fbef7312d5b3ac1ac2cc9e54ce08a41490		 pdf-font-stream PDF embedded font (sfnt) at offset 0x16AE4 5288 bytes
font_01_sfnt_off00017cc3.bin
facb9bffb611fbe1290635a251d13ff378ca8e8096a027383c7387cab8594949		 pdf-font-stream PDF embedded font (sfnt) at offset 0x17CC3 10696 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.