Malicious PDF — malware analysis report

Static analysis result for SHA-256 cac8c46ce3b901be…

MALICIOUS

PDF

38.7 KB Created: 2020-08-10 13:47:22 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: a9c882b45804bad91acf01c5434959f7 SHA-1: ca928bab545d59df9b17fbc80666315193135c75 SHA-256: cac8c46ce3b901be332928baa5dde7e535292a40caf9ad8443139a173eba0fed
150 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF contains a large number of embedded links, many of which point to external resources disguised as legitimate documents. One critical heuristic firing indicates a direct link to known malicious redirector infrastructure. The ML classifier also strongly flagged this PDF as malicious. The primary attack pattern involves luring users into clicking these links, likely to download further malicious content or phish for credentials.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.cc/pify?keyword=handbook+of+clinical+anesthesia+barash+pdf
    • http://files.jacquismithmusic.com/uploads/1/3/1/4/131438071/995279e964009.pdf
    • http://files.mgwelch.co.uk/uploads/1/3/2/6/132681307/rulosuxef.pdf
    • http://tivoseto.apexmedicalgas.com/uploads/1/3/1/1/131164250/fikepika-tigifenugab-luzaroku.pdf
    • http://files.richesoncabinets.com/uploads/1/3/0/7/130740591/035f5851642.pdf
    • http://files.davidviolet.com/uploads/1/3/1/4/131411245/jokovurase.pdf
    • https://cdn.shopify.com/s/files/1/0431/7921/2959/files/discoveries_in_science.pdf
    • https://cdn.shopify.com/s/files/1/0428/9835/8432/files/72163988246.pdf
    • https://cdn.shopify.com/s/files/1/0435/9792/2461/files/60010944892.pdf
    • https://cdn.shopify.com/s/files/1/0428/9835/8432/files/85947343199.pdf
    • https://cdn.shopify.com/s/files/1/0441/3951/1960/files/2269048592.pdf
    • https://cdn.shopify.com/s/files/1/0440/3272/1046/files/34631503851.pdf
    • https://cdn.shopify.com/s/files/1/0431/1977/1799/files/82002664982.pdf
    • https://cdn.shopify.com/s/files/1/0431/3926/8774/files/functional_structure_definition.pdf
    • https://cdn.shopify.com/s/files/1/0433/5144/1560/files/32888200961.pdf
    • https://cdn.shopify.com/s/files/1/0437/0835/0615/files/5673164487.pdf
    • https://cdn.shopify.com/s/files/1/0428/8148/2919/files/ed_rosenthal_download.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00005a04.bin
121ee2b54ac9ff511db29859c02394e6e407c0336c805b268075cccddc969899		 pdf-font-stream PDF embedded font (sfnt) at offset 0x5A04 5408 bytes
font_01_sfnt_off00006c54.bin
3869c2222cb052ff6dd7e45c3b96ef033fa8e47201f236e2ba31c55c57582680		 pdf-font-stream PDF embedded font (sfnt) at offset 0x6C54 9796 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.