Malicious PDF — malware analysis report

Static analysis result for SHA-256 c84f95a880382629…

MALICIOUS

PDF

78.3 KB Created: 2020-08-29 19:01:44 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 998252b0fd002f4a25cb0c0911b428e4 SHA-1: 64f16a4c83abfd7b24828380307a2fe6268cdc95 SHA-256: c84f95a880382629318191d05ce390a28b23924c7514edb36043b239a4b81465
150 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF contains a link farm of 13 external PDF documents, with the primary link pointing to a known malicious redirector. The document body is heavily obfuscated but contains the malicious URL. This indicates a likely attempt to redirect users to malicious content through a deceptive link farm.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.com/wix?keyword=dies+irae+wiki
    • https://cdn.shopify.com/s/files/1/0440/4386/2181/files/android_studio_3._5._0_release_notes.pdf
    • https://cdn.shopify.com/s/files/1/0429/5308/0985/files/majatezubalogif.pdf
    • https://cdn.shopify.com/s/files/1/0430/2651/4077/files/zurutiz.pdf
    • https://static.usrfiles.com/ugd/36f25b_61219a01ded34530ac1f20113d09a113.pdf
    • https://static.usrfiles.com/ugd/b8c837_f9cb64377931492a976cbb0dee8b1c33.pdf
    • https://static.usrfiles.com/ugd/b8c837_ab2ed23df8174c8a945b6e9f43d58aad.pdf
    • https://static.usrfiles.com/ugd/b8c837_5ac9f9b88e3c48abafbd446574e31abb.pdf
    • https://static.usrfiles.com/ugd/accd1f_6c9554b2e2a84b929834e1f1f5865976.pdf
    • https://cdn.shopify.com/s/files/1/0439/1701/7243/files/74492546470.pdf
    • https://cdn.shopify.com/s/files/1/0433/9944/6693/files/55762561449.pdf
    • https://static.usrfiles.com/ugd/b8c837_b84c6da799b543d1a62975f5d6b26b31.pdf
    • https://static.usrfiles.com/ugd/b8c837_e43cd70dca8b46ba9686f78f1d9aba3d.pdf
    • https://static.usrfiles.com/ugd/760101_bea9f88aa42c4ca7b7cf3a1e9306dacd.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000083bb.bin
0d201b6b78a49b89bb696a5bf180fe2a7a7cd09e0171ec94662256add225c64e		 pdf-font-stream PDF embedded font (sfnt) at offset 0x83BB 38172 bytes
font_01_sfnt_off0000f936.bin
43290b70bf601ad6dbdf2ee6eccfbb639485c80d1e24273758722769aa14d663		 pdf-font-stream PDF embedded font (sfnt) at offset 0xF936 4800 bytes
font_02_sfnt_off000109b0.bin
5cf2d4d7843b2fdc32e56137177c2dc9b0c8dd2d11345ec2a9dee7953a9d17ab		 pdf-font-stream PDF embedded font (sfnt) at offset 0x109B0 10288 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.