Malicious PDF — malware analysis report

Static analysis result for SHA-256 c59a9809226b9463…

MALICIOUS

PDF

50.7 KB Created: 2020-08-02 10:15:45 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: ab2f07ad623f853368784ca8edfeab8c SHA-1: 5889d51497dfed799243fd8296b33859cf44ff3f SHA-256: c59a9809226b946357d16b8de631be664ce00af9799d0278d5c05b1afd6b32d6
150 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF contains embedded links, with one specifically pointing to a known malicious redirector infrastructure. The document body, though heavily obfuscated, contains text related to 'Runescape magic training' and a URL that appears to be part of a link farm designed to attract search engine traffic. The presence of numerous external PDF links and the ML classifier's high confidence score further support the malicious nature of this document.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.ru/pify?keyword=runescape+magic+training
    • http://files.art63lynch.com/uploads/1/3/1/0/131070692/gaduwewirinuwileki.pdf
    • http://files.artsburgday.com/uploads/1/3/0/7/130776607/mujexozen-dadejezevuf.pdf
    • http://files.themissingbride.com/uploads/1/3/0/8/130813841/ponudeditom_najako_sepetowuzubeki_makip.pdf
    • https://cdn.shopify.com/s/files/1/0431/0535/3885/files/nutalogi.pdf
    • https://cdn.shopify.com/s/files/1/0432/2007/4663/files/70830272002.pdf
    • https://cdn.shopify.com/s/files/1/0428/8462/8633/files/nawavur.pdf
    • https://cdn.shopify.com/s/files/1/0431/4716/5850/files/wufexadugozemagezuzinolan.pdf
    • https://cdn.shopify.com/s/files/1/0440/6919/1832/files/89737019052.pdf
    • https://cdn.shopify.com/s/files/1/0435/5863/3631/files/76185814348.pdf
    • https://cdn.shopify.com/s/files/1/0432/2567/7982/files/wivugevudenerivu.pdf
    • https://cdn.shopify.com/s/files/1/0431/3264/9636/files/89363325815.pdf
    • https://cdn.shopify.com/s/files/1/0431/3825/2957/files/xapipidanejajegenovi.pdf
    • https://cdn.shopify.com/s/files/1/0435/4696/8218/files/mewakuvesevabajo.pdf
    • https://cdn.shopify.com/s/files/1/0441/0291/0104/files/60985577858.pdf
    • https://cdn.shopify.com/s/files/1/0433/3414/0056/files/gumenu.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00008883.bin
3fb33d677ead242350cd5006c09ac9a5bd14af82e65d4f24b0ffafe06679c240		 pdf-font-stream PDF embedded font (sfnt) at offset 0x8883 5228 bytes
font_01_sfnt_off00009a40.bin
1d1b6f904d5a946092fc8711f16c6b4fa143606d5d9e1f420815872192f9ad2a		 pdf-font-stream PDF embedded font (sfnt) at offset 0x9A40 10344 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.