Malicious PDF — malware analysis report

Static analysis result for SHA-256 bf1233ca5c2a41fd…

MALICIOUS

PDF

39.3 KB Created: 2020-08-22 16:27:29 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: a8bb1be7033924bb878f940db3931983 SHA-1: 164903247b4d8062f16e0dd07b874ddbb2b88615 SHA-256: bf1233ca5c2a41fd6f14536d74a350f8ba345a43de49efc1238c176758536898
150 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell T1204.002 Malicious Link

The PDF contains a mass external link farm, with a primary link pointing to a known malicious redirector. The document body, though heavily obfuscated, contains text fragments and URLs that suggest a lure related to an academic worksheet. The presence of a malicious redirector indicates an attempt to deliver a secondary payload or conduct phishing.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.cc/pify?keyword=ethos+pathos+logos+worksheet+high+school+pdf
    • http://pemonuxi.marcminsker.com/uploads/1/3/1/0/131070487/kenidefujewameki.pdf
    • https://cdn.shopify.com/s/files/1/0431/6708/8791/files/live_flight_tracking_app_android.pdf
    • https://cdn.shopify.com/s/files/1/0429/3846/6467/files/kilof.pdf
    • https://cdn.shopify.com/s/files/1/0431/4942/6839/files/36162235444.pdf
    • https://cdn.shopify.com/s/files/1/0433/9341/7366/files/kumuxubosedatakudigeva.pdf
    • https://cdn.shopify.com/s/files/1/0431/5178/6135/files/69472129643.pdf
    • https://cdn.shopify.com/s/files/1/0429/4947/6518/files/wusowanoger.pdf
    • https://cdn.shopify.com/s/files/1/0432/2865/9874/files/powogajatobowawaxaka.pdf
    • https://cdn.shopify.com/s/files/1/0438/8506/8456/files/gukuzeb.pdf
    • https://cdn.shopify.com/s/files/1/0433/0163/4213/files/axa_annual_report_2020.pdf
    • https://cdn.shopify.com/s/files/1/0432/8918/2376/files/rafefavigelidewawoviv.pdf
    • https://cdn.shopify.com/s/files/1/0435/6263/1326/files/warlock_class_guide_5e.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00005b7b.bin
1275f75a3e6b8d2948df14b7c063768fc7443f63c2523193dba01a357bcb9420		 pdf-font-stream PDF embedded font (sfnt) at offset 0x5B7B 5532 bytes
font_01_sfnt_off00006e58.bin
a97994e9af5f46ad3f71a0314e00d32cc89041dd5bba45b4f6121a1088297d1c		 pdf-font-stream PDF embedded font (sfnt) at offset 0x6E58 10072 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.