Malicious PDF — malware analysis report

Static analysis result for SHA-256 bd0843ae94c7ba89…

MALICIOUS

PDF

44.6 KB Created: 2020-08-29 05:18:22 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: b8110d80e75bb903efced52a581f1d82 SHA-1: f4c40f05ba0b4ec1443f7a37a0b58342169b87e6 SHA-256: bd0843ae94c7ba89f755e48a895df5d92ec8fd4f1331d7e4ec74322613100879
150 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF file contains a significant number of embedded links, with one pointing to a known malicious redirector. The document body is heavily obfuscated, but the presence of the URL and the PDF_MALICIOUS_REDIRECTOR_LINK heuristic strongly suggest a malicious intent, likely to lure users to external sites. The PDF_SEO_LINK_FARM heuristic indicates a large number of external links, further supporting the attack pattern.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.com/wix?keyword=insta+pot+manual
    • https://static.usrfiles.com/ugd/b8c837_992ee16689ec42778a78798ee7fe50aa.pdf
    • https://static.usrfiles.com/ugd/b8c837_b5fbdb21f8294122bed343ea0e67c279.pdf
    • https://static.usrfiles.com/ugd/b8c837_da91eb6cea424e249b9b5cf871653045.pdf
    • https://static.usrfiles.com/ugd/b8c837_1cd0c15b13944d3c8c0a7ccd19bb429c.pdf
    • https://static.usrfiles.com/ugd/b8c837_2f42e023c5d145ffb380619d61ab593d.pdf
    • https://static.usrfiles.com/ugd/b8c837_a88913aca34a46ac801ddf5c6929cbb0.pdf
    • https://cdn.shopify.com/s/files/1/0460/1954/3199/files/27715694660.pdf
    • https://cdn.shopify.com/s/files/1/0437/1080/8216/files/vomolavelinujoxuvudegezuj.pdf
    • https://cdn.shopify.com/s/files/1/0432/7692/7134/files/murekanofozininekikil.pdf
    • https://cdn.shopify.com/s/files/1/0431/0892/5600/files/92140326776.pdf
    • https://cdn.shopify.com/s/files/1/0435/6525/2769/files/69338922157.pdf
    • https://cdn.shopify.com/s/files/1/0431/5768/4375/files/angular_file_from_external_url.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00007323.bin
ce0b4dd3f411011abf9a8e43630c8820ab0f95ac8e0c72e56222a006d8b42b37		 pdf-font-stream PDF embedded font (sfnt) at offset 0x7323 4804 bytes
font_01_sfnt_off0000835e.bin
ac303d32c679517ad5c2cbbbea303242ee23e81e43dddf7dd616f7c486bfc2d0		 pdf-font-stream PDF embedded font (sfnt) at offset 0x835E 10060 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.