Malicious PDF — malware analysis report

Static analysis result for SHA-256 c5dabaf4e9072295…

MALICIOUS

PDF

44.5 KB Created: 2020-08-14 11:06:08 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: f82644be89cbfd4865c02d9e6ab2db4e SHA-1: 21acd7dd7514264824ea966a106f53c7d706d03d SHA-256: c5dabaf4e9072295f08b844559cc5765c86243e7feb44d047e41d8658ff12dab
152 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.001 User Execution: Malicious Link T1059.001 PowerShell

The PDF contains numerous embedded links, with a critical heuristic firing indicating a link to known malicious redirector infrastructure. The document body, though heavily obfuscated, contains the primary malicious URL. The presence of many links, including to benign-looking Shopify domains, suggests a link farm or SEO poisoning tactic to disguise the malicious redirector. No scripts were extracted, but the primary attack vector is the malicious URL.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 4

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.ru/wb?keyword=structural%20analysis%20civil%20engineering%20mcq%20pdf
    • http://files.backroadsfab.com/uploads/1/3/0/7/130738836/7722855.pdf
    • http://files.carolinadancecenter.com/uploads/1/3/1/4/131453267/kabeloso.pdf
    • http://files.iowajuneteenth.org/uploads/1/3/0/7/130776167/watafajapi.pdf
    • http://files.southerncrosscvi.com.au/uploads/1/3/2/6/132680974/nodaturevu.pdf
    • https://cdn.shopify.com/s/files/1/0431/7754/1787/files/abta_test_paper_2020_class_10_download.pdf
    • https://cdn.shopify.com/s/files/1/0436/8692/0347/files/tecnologias_de_la_informacion_y_comunicacion_en_salud.pdf
    • https://cdn.shopify.com/s/files/1/0438/3778/4224/files/celestine_prophecy_10th_insight.pdf
    • https://cdn.shopify.com/s/files/1/0431/1449/6161/files/makalah_sejarah_peradilan_agama_di_indonesia.pdf
    • https://cdn.shopify.com/s/files/1/0431/5942/1092/files/39334815402.pdf
    • https://cdn.shopify.com/s/files/1/0430/7399/4905/files/tuxaxufemisatekofone.pdf
    • https://cdn.shopify.com/s/files/1/0430/6108/4322/files/sap_analysis_for_office_user_guide.pdf
    • https://cdn.shopify.com/s/files/1/0432/2502/2621/files/16622431039.pdf
    • https://cdn.shopify.com/s/files/1/0439/2756/8552/files/financial_market_interview_questions_and_answers.pdf
    • https://cdn.shopify.com/s/files/1/0433/8122/7672/files/aimware_csgo_hack_free.pdf
    • https://cdn.shopify.com/s/files/1/0439/3595/7147/files/personality_color_test_red_blue_green_yellow.pdf
    • https://cdn.shopify.com/s/files/1/0439/4627/9080/files/occupational_health_and_safety_green_book.pdf
    • https://cdn.shopify.com/s/files/1/0435/9972/4702/files/bepesenibumabuvumiditu.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00006cd4.bin
ebf95bc7ef05ffd6c3861bbae87c868357bdc98cd0a11e51c223bf65c30d609f		 pdf-font-stream PDF embedded font (sfnt) at offset 0x6CD4 5864 bytes
font_01_sfnt_off000080b9.bin
d09d446145ca6f29d8d70af02e59e7decdba4c9789a91a5972c0fdffe98043bb		 pdf-font-stream PDF embedded font (sfnt) at offset 0x80B9 10484 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.