Malicious PDF — malware analysis report

Static analysis result for SHA-256 b9b2135ff6721b3c…

MALICIOUS

PDF

40.7 KB Created: 2020-08-20 11:29:14 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: ac18faf4305bd37b0b063db56373fac0 SHA-1: 069ef397fa03ee03c5dbcc4c6760772cce7e7ef3 SHA-256: b9b2135ff6721b3c62d68fcc52622e747793fe65205cce82dc25bc7c23c8a971
150 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF contains a prominent link that redirects to a malicious URL, disguised as an offer for free antivirus software. This is supported by the PDF_MALICIOUS_REDIRECTOR_LINK heuristic firing. The PDF also contains a large number of external links, many hosted on shopify.com, indicating a link farm for SEO manipulation, as flagged by PDF_SEO_LINK_FARM. No scripts were extracted from this sample.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.cc/pify?keyword=free+kaspersky+antivirus+for+android+phone
    • http://fifelarik.stories4strength.org/uploads/1/3/0/7/130776257/d5e44427336.pdf
    • https://cdn.shopify.com/s/files/1/0439/0027/2792/files/36428899401.pdf
    • https://cdn.shopify.com/s/files/1/0433/4419/9829/files/fipomozolezogovebovegabun.pdf
    • https://cdn.shopify.com/s/files/1/0432/3246/0960/files/43097459859.pdf
    • https://cdn.shopify.com/s/files/1/0438/1281/5010/files/causes_of_stroke_in_young.pdf
    • https://cdn.shopify.com/s/files/1/0431/4392/1820/files/47079969967.pdf
    • https://cdn.shopify.com/s/files/1/0429/8565/2375/files/66759255783.pdf
    • https://cdn.shopify.com/s/files/1/0429/8535/7463/files/kifubarijixu.pdf
    • https://cdn.shopify.com/s/files/1/0433/0966/2366/files/sitisad.pdf
    • https://cdn.shopify.com/s/files/1/0434/1510/9799/files/13445339883.pdf
    • https://cdn.shopify.com/s/files/1/0432/7312/6052/files/29015732861.pdf
    • https://cdn.shopify.com/s/files/1/0454/3823/8878/files/pesumep.pdf
    • https://cdn.shopify.com/s/files/1/0438/9571/8040/files/dedorusadilonimufise.pdf
    • https://cdn.shopify.com/s/files/1/0464/1387/3320/files/angular_formbuilder_group_set_value.pdf
    • https://cdn.shopify.com/s/files/1/0433/6759/6184/files/37209052857.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000612e.bin
9767b27f3e90b3f5593f0e241f64618bfc26d50b688c2ae67be25662b5a68c7c		 pdf-font-stream PDF embedded font (sfnt) at offset 0x612E 5280 bytes
font_01_sfnt_off0000732f.bin
dd59042f39fa6a0ec4519da7b33c4e622a3c83d07958b1304e1856096e1bb175		 pdf-font-stream PDF embedded font (sfnt) at offset 0x732F 10176 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.