Malicious PDF — malware analysis report

Static analysis result for SHA-256 bd7edd3f9fbc4513…

MALICIOUS

PDF

55.6 KB Created: 2020-08-22 09:06:43 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: a40c86376c7eacf445013cc2934fd192 SHA-1: 0a3e280f21ad14ba2685b56cbd9695daa4c6ddcb SHA-256: bd7edd3f9fbc45138e2ef3cd622afcef5f404afa2d27f9630312399d7d59351e
150 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF file contains a significant number of embedded links, with one identified as a malicious redirector. The heuristic firings indicate a PDF link farm, suggesting the document's primary purpose is to distribute malicious links. The ML classifier also strongly flagged this PDF as malicious. No scripts were extracted, but the presence of numerous links points to a likely phishing or malware distribution attempt.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.ru/pify?keyword=anbae+per+anbae+video+song++1080p
    • http://files.2ndcongregationalchurchvt.org/uploads/1/3/1/4/131406715/8d0796.pdf
    • http://pofadiva.jwhitneyart.com/uploads/1/3/0/7/130775565/2726583.pdf
    • http://pufub.goucherstudentartshowcase.com/uploads/1/3/1/0/131070036/b0a4939cfe.pdf
    • http://pobumeb.imperiumduelist.com/uploads/1/3/1/3/131398097/c666a4e.pdf
    • http://kixisu.byyoursidepet.com/uploads/1/3/1/0/131069934/8014a.pdf
    • https://cdn.shopify.com/s/files/1/0427/5719/3895/files/baldwinsville_ny_police_reports.pdf
    • https://cdn.shopify.com/s/files/1/0433/9286/0327/files/fafikuzozewi.pdf
    • https://cdn.shopify.com/s/files/1/0429/1713/4502/files/forubemiwigofojepenowura.pdf
    • https://cdn.shopify.com/s/files/1/0435/8170/2303/files/30437407296.pdf
    • https://cdn.shopify.com/s/files/1/0431/6820/2901/files/63956189001.pdf
    • https://cdn.shopify.com/s/files/1/0440/7079/7462/files/tonufajanewimaleleduti.pdf
    • https://cdn.shopify.com/s/files/1/0450/3240/7198/files/gumisofijumalonotuxa.pdf
    • https://cdn.shopify.com/s/files/1/0430/7392/9378/files/hollow_knight_simple_key.pdf
    • https://cdn.shopify.com/s/files/1/0428/8974/0441/files/50678799319.pdf
    • https://cdn.shopify.com/s/files/1/0429/2804/6233/files/bukeru.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 6

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00005db2.bin
7207569ad705a2b288c8b27ae8e6c00652108190c9c869642021ab87cbeb3cb4		 pdf-font-stream PDF embedded font (sfnt) at offset 0x5DB2 5672 bytes
font_01_sfnt_off00007104.bin
1ed1850b7abe47cbba7eff6020941248d9efbd41917d2ae250e0d3fbb66c7b3d		 pdf-font-stream PDF embedded font (sfnt) at offset 0x7104 2968 bytes
font_02_sfnt_off00007d4a.bin
761fa81ef7b6b8ce3808fd7a13cef83f453e2044ed4b460141bdb224bdf46838		 pdf-font-stream PDF embedded font (sfnt) at offset 0x7D4A 3848 bytes
font_03_sfnt_off00008bb4.bin
1b65ff82cd43214772f169589416d14d1520d367b20425952ee9b3c32855a61b		 pdf-font-stream PDF embedded font (sfnt) at offset 0x8BB4 2732 bytes
font_04_sfnt_off0000962f.bin
9e2d110260619d1e9d81f7a51db5154f701ca5f0e153c215eb89140f5c270204		 pdf-font-stream PDF embedded font (sfnt) at offset 0x962F 10228 bytes
font_05_sfnt_off0000b968.bin
e923e76bf89b118ab362d26bc160801f6df3e0a9971dbff99d798902b4fceb4d		 pdf-font-stream PDF embedded font (sfnt) at offset 0xB968 16656 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.