Malicious PDF — malware analysis report

Static analysis result for SHA-256 be875a7e433e7ece…

MALICIOUS

PDF

37.3 KB Created: 2020-09-21 21:10:27 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 01961cfd4ebb7ec8fbbbc675b0242091 SHA-1: 9763ab680e43a478b9d4847d6342cd298c2f0e37 SHA-256: be875a7e433e7ece620f394b9922eb32719b8257147f8e74361d04a4b0cdf1f9
150 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF contains a large number of embedded links, many of which point to domains associated with link farms and redirectors. The primary redirector URL is https://ttraff.cc/pify?keyword=shenmue+2+guide+book+pdf, which likely leads to malicious content. The ML classifier also strongly indicated maliciousness. No scripts were extracted, and the document body was heavily obfuscated.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.cc/pify?keyword=shenmue+2+guide+book+pdf
    • http://siwezi.mistyhollowfarm.net/uploads/1/3/2/8/132816066/8599486.pdf
    • http://pusaji.firstclassdetailgalv.com/uploads/1/3/1/4/131437679/6086928.pdf
    • http://joval.coronadopace.org/uploads/1/3/1/0/131070806/9871466.pdf
    • http://files.stepoutsidefitness.com.au/uploads/1/3/2/6/132680808/xakezovadavipi.pdf
    • http://files.jessiejewelsart.com/uploads/1/3/1/3/131398507/fdc1d42fe58382.pdf
    • http://sugatoju.ashleyknappenberger.com/uploads/1/3/0/7/130776445/nuxof_vovamojudujavis.pdf
    • http://zunetopon.stonegatekilleen.com/uploads/1/3/0/7/130739873/vebepuwexigozanu.pdf
    • http://files.deltapsichapter.com/uploads/1/3/0/8/130814124/lijasinuzefefe.pdf
    • http://files.daleismopeners.com/uploads/1/3/2/3/132303238/7029277.pdf
    • https://584004e6-2cb7-4395-a089-f5e894dbb24b.filesusr.com/ugd/154db6_c0d11ae62bc24f8b9f70ba44a2e37c63.pdf?index=true
    • https://a430c077-80b6-4b08-91cb-20ad0259bdf5.filesusr.com/ugd/592671_51ac742a44dc4c8e809251334a53a2c4.pdf?index=true
    • https://e687cb3e-9339-4ae1-9ec8-c9b9949eaad3.filesusr.com/ugd/95089d_988c81a5332743cbaeb8a96c40ff9f5a.pdf?index=true
    • https://f2459a59-8c31-4c10-99f5-f03a9bb3dd51.filesusr.com/ugd/ebc5f9_69b138c66fb140d8bbc36123a9b68b7d.pdf?index=true
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00005387.bin
cb862ea678a21dc0dc88ad360d53e7c8cf921226ee1d29aba114caa67a60e3bb		 pdf-font-stream PDF embedded font (sfnt) at offset 0x5387 5376 bytes
font_01_sfnt_off000065b9.bin
aae2e3be236a39ae88b95025bb9a745b899f356e2a42f9763af6950fbbc17481		 pdf-font-stream PDF embedded font (sfnt) at offset 0x65B9 10320 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.