Malicious PDF — malware analysis report

Static analysis result for SHA-256 d1a3141e50f1fec4…

MALICIOUS

PDF

66.0 KB Created: 2020-09-01 07:47:09 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: ef99e5b0d18819496c1958fc58e68266 SHA-1: 4cf203ff28e6f74778ac3907a93cbf33c0fca857 SHA-256: d1a3141e50f1fec4628a35a69b900df6b69f568d9ce8c8cc3117f405ef314e06
152 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF file contains a heuristic firing for linking to known malicious redirector infrastructure. The document body, though heavily obfuscated, contains the URL that triggered this finding. The ML classifier also strongly indicated maliciousness. The primary attack vector appears to be a lure disguised as sheet music, directing users to a malicious URL.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 4

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.cc/wix?keyword=vivaldi+four+seasons+sheet+music+pdf
    • https://static.usrfiles.com/ugd/197ed4_0f3330767e9940b59db88384f5b34095.pdf
    • https://static.usrfiles.com/ugd/55cc32_d34d240f9b9a4caa899607e11f44da63.pdf
    • https://static.usrfiles.com/ugd/9904c2_ae8406645b644bfe8d281b8d34c72dc6.pdf
    • https://cdn.shopify.com/s/files/1/0433/9938/1159/files/driverpack_offline_full_version.pdf
    • https://cdn.shopify.com/s/files/1/0435/4893/4295/files/jovobi.pdf
    • https://cdn.shopify.com/s/files/1/0430/8841/2836/files/50166301174.pdf
    • https://cdn.shopify.com/s/files/1/0433/0687/7080/files/99640144283.pdf
    • https://cdn.shopify.com/s/files/1/0448/0483/3441/files/hollander_interchange_manual.pdf
    • https://cdn.shopify.com/s/files/1/0434/7818/8198/files/adding_and_subtracting_decimals_worksheets_answer_key.pdf
    • https://cdn.shopify.com/s/files/1/0434/1514/2551/files/93397233100.pdf
    • https://cdn.shopify.com/s/files/1/0431/9058/3458/files/37611147642.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 6

Files carved from inside the sample during analysis.

FilenameKindSourceSize
stream_007_off0000c5aa.bin
bee652007aa380857984442292a29c1ef945b09dcde604c4a71ffefe520ab4b3		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0xC5AA 21000 bytes
font_00_sfnt_off0000690b.bin
42b7bfd6b6260ff0034b7a73347397edd9fbd05f3e024f6dd3ff12f71a080250		 pdf-font-stream PDF embedded font (sfnt) at offset 0x690B 3564 bytes
font_01_sfnt_off000075f5.bin
b754d5bc3efd608a59d2fb58a2f338d166ee600e6f7dd70e84d98839abffcf3d		 pdf-font-stream PDF embedded font (sfnt) at offset 0x75F5 5304 bytes
font_02_sfnt_off000087c0.bin
f248c691b9ee66ebcc52da5324b3d26a139102e440dc46047befe0602f462a60		 pdf-font-stream PDF embedded font (sfnt) at offset 0x87C0 7344 bytes
font_03_sfnt_off00009bb3.bin
26a3e75d362e2837e22ffc36892ba55cf57561a915da34e099d39c08448f8c43		 pdf-font-stream PDF embedded font (sfnt) at offset 0x9BB3 12612 bytes
font_05_sfnt_off0000ebd1.bin
b50a2106bf82917db0cd3cf88f63c5e8cc3298b343ace5cffc591b35df33d24c		 pdf-font-stream PDF embedded font (sfnt) at offset 0xEBD1 4324 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.