Malicious PDF — malware analysis report

Static analysis result for SHA-256 c798dfe4c51c587d…

MALICIOUS

PDF

41.6 KB Created: 2020-08-18 13:05:41 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: b0de104c314aad790e84f312136347f9 SHA-1: 95bb8000b1644ee18ea6cca87c504f00d4dd9dae SHA-256: c798dfe4c51c587d69bd0bde74f7449b1a8d7dd995f26f885b58dafed46e3608
150 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF contains a mass external link farm, with one URL pointing to a known malicious redirector. The document body, though heavily obfuscated, contains text that appears to be a lure related to 'Mailchimp html template design'. The presence of numerous external links, including one to a malicious redirector, suggests an attempt to direct the user to malicious content. The PDF was flagged by a machine learning classifier as malicious.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.cc/pify?keyword=mailchimp+html+template+design
    • http://kalud.breidholtfestival.com/uploads/1/3/1/4/131406717/mibunupuxa.pdf
    • http://files.cingirard.com/uploads/1/3/2/6/132682048/nokadovevogokidoveke.pdf
    • https://cdn.shopify.com/s/files/1/0449/5812/2139/files/remove_watermark_from_adobe_pro.pdf
    • https://cdn.shopify.com/s/files/1/0428/0179/1132/files/74824065961.pdf
    • https://cdn.shopify.com/s/files/1/0428/6955/5356/files/71136517225.pdf
    • https://cdn.shopify.com/s/files/1/0428/4294/7750/files/tawetoxofaxokij.pdf
    • https://cdn.shopify.com/s/files/1/0433/6805/4940/files/27964015213.pdf
    • https://cdn.shopify.com/s/files/1/0430/6327/9767/files/zixonagexarofitusorezi.pdf
    • https://cdn.shopify.com/s/files/1/0433/7431/3621/files/91623661982.pdf
    • https://cdn.shopify.com/s/files/1/0434/6049/3474/files/2157177092.pdf
    • https://cdn.shopify.com/s/files/1/0438/8339/7275/files/manualidades_con_botellas_de_plastico.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00006417.bin
b214ae6071532c33e80356c5cc4b793ff07ceb042b02c4d3a91fdbb489cb8373		 pdf-font-stream PDF embedded font (sfnt) at offset 0x6417 5396 bytes
font_01_sfnt_off00007652.bin
56a773f21e387d50203b123a538da58643cfd61e75c3ef2cc9630c5546074454		 pdf-font-stream PDF embedded font (sfnt) at offset 0x7652 10448 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.