Malicious PDF — malware analysis report

Static analysis result for SHA-256 c14fe9fc9839554a…

MALICIOUS

PDF

36.8 KB Created: 2020-08-13 23:51:12 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 072a6ab42c20b517532b0e80a27ee20a SHA-1: 349915a1b3485f154848158e856216cc03ec1a93 SHA-256: c14fe9fc9839554a7f727613ce5944b1a914e62e72da8639a23dea68ff5e500b
150 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF contains a large number of embedded links, many of which point to benign Shopify domains, but one critical link directs to a known malicious redirector. The document body, though heavily obfuscated, contains the malicious URL and appears to be a lure for audition scripts. The ML classifier strongly indicates maliciousness, and the PDF structure suggests a link farm used for SEO poisoning to distribute malicious content.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.ru/pify?keyword=marathi+audition+script+pdf
    • http://rorakodot.mypersonalleadershipjourney.com/uploads/1/3/0/9/130969103/2621587.pdf
    • http://files.ny6thinktank.org/uploads/1/3/2/6/132683463/nefubo.pdf
    • http://pezog.treeservicefortworth.org/uploads/1/3/2/7/132712413/f34beb9b.pdf
    • https://cdn.shopify.com/s/files/1/0432/4874/6651/files/calvin_and_hobbes_comic_strips_free_download.pdf
    • https://cdn.shopify.com/s/files/1/0429/2630/9535/files/28070060039.pdf
    • https://cdn.shopify.com/s/files/1/0438/3067/3565/files/darajopafevidazatefabij.pdf
    • https://cdn.shopify.com/s/files/1/0437/7008/5525/files/15916672796.pdf
    • https://cdn.shopify.com/s/files/1/0436/9825/8073/files/virago_owners_group.pdf
    • https://cdn.shopify.com/s/files/1/0429/9243/5359/files/zujowabu.pdf
    • https://cdn.shopify.com/s/files/1/0439/0069/8792/files/jafoxekiwutad.pdf
    • https://cdn.shopify.com/s/files/1/0428/6965/3663/files/wowafazusavifijoperu.pdf
    • https://cdn.shopify.com/s/files/1/0437/6097/6021/files/zojanizeku.pdf
    • https://cdn.shopify.com/s/files/1/0436/0847/3763/files/44368098362.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000530e.bin
6fdb5f555dfc127fbcc71c9ab69f1b53d1975d632f922ab328260431d408f02a		 pdf-font-stream PDF embedded font (sfnt) at offset 0x530E 5216 bytes
font_01_sfnt_off000064c7.bin
915daf10e9a8f47ae7b4a8bd46cdf316a82d0fd934650cc1d19bbe38bfef0087		 pdf-font-stream PDF embedded font (sfnt) at offset 0x64C7 9952 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.