Malicious PDF — malware analysis report

Static analysis result for SHA-256 c3d6c9f42e58f129…

MALICIOUS

PDF

59.2 KB Created: 2020-08-18 12:58:15 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 05379a3349d93966bc5c0476b514aa74 SHA-1: f84914a406e5a15f449a1219326c31c5ce906762 SHA-256: c3d6c9f42e58f129469b796a2bd2d5645bc96542c3e73d85e4b6132b01790fc9
150 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF contains a significant number of embedded links, with one specifically pointing to a known malicious redirector. The presence of a large link farm suggests an attempt to manipulate SEO or distribute malicious content. The ML classifier also strongly indicated maliciousness. No scripts were extracted, and the document body was largely unreadable binary data.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.com/pify?keyword=god+bhairava+photo
    • http://files.brushandbranch.co/uploads/1/3/0/7/130740344/2297158.pdf
    • http://nebip.rogeraldridge.com/uploads/1/3/1/3/131380600/4145002.pdf
    • https://cdn.shopify.com/s/files/1/0433/9626/8193/files/77319195216.pdf
    • https://cdn.shopify.com/s/files/1/0432/0018/4477/files/number_coloring_worksheets_for_kindergarten.pdf
    • https://cdn.shopify.com/s/files/1/0430/2402/3715/files/60870243172.pdf
    • https://cdn.shopify.com/s/files/1/0433/1307/0238/files/46763992196.pdf
    • https://cdn.shopify.com/s/files/1/0433/0687/7080/files/58580374151.pdf
    • https://cdn.shopify.com/s/files/1/0429/7277/4556/files/79683201495.pdf
    • https://cdn.shopify.com/s/files/1/0433/6176/3480/files/jutedoserufozuji.pdf
    • https://cdn.shopify.com/s/files/1/0448/0499/7271/files/twitch_founder_badge.pdf
    • https://cdn.shopify.com/s/files/1/0435/0817/0918/files/43480321378.pdf
    • https://cdn.shopify.com/s/files/1/0429/8362/0757/files/kraus_antennas_download.pdf
    • https://cdn.shopify.com/s/files/1/0436/2128/6050/files/37614681895.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 4

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00008f02.bin
6bb3a1364bac5d30a8b44d3390346884e36efe7f9ac9914bef1e685cb6fb62a9		 pdf-font-stream PDF embedded font (sfnt) at offset 0x8F02 5068 bytes
font_01_sfnt_off0000a041.bin
eb903a4bcabb0673128613fc2c6a3b3be6b6be0204d11159aa2f590e1d82ee93		 pdf-font-stream PDF embedded font (sfnt) at offset 0xA041 3740 bytes
font_02_sfnt_off0000abba.bin
4dd32f3d6a6af27a6340304c522cfea1c05cf46a0439b24ba96e57bfbc99a02f		 pdf-font-stream PDF embedded font (sfnt) at offset 0xABBA 10992 bytes
font_03_sfnt_off0000cfb1.bin
6b44761372daa0482fe92cd0fba1d86fdb9ecfc82b596abd88ae0b9c5a660c73		 pdf-font-stream PDF embedded font (sfnt) at offset 0xCFB1 4336 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.