Malicious PDF — malware analysis report

Static analysis result for SHA-256 d4757ebbb7fec422…

MALICIOUS

PDF

68.7 KB Created: 2020-08-10 08:21:02 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: c64b8f115b49b738c31d2c6f8d44ea7f SHA-1: c3f193256bd263079a74f4b2e688d5fe85ea6c63 SHA-256: d4757ebbb7fec4224bc91889ddf1b43b9a8c5978725db31d26c091473b47a33b
152 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF contains a link that redirects to a known malicious domain, indicating a phishing or malware distribution attempt. The document body, though heavily obfuscated, contains the same URL as the malicious link, reinforcing the lure. The presence of numerous external links, many pointing to Shopify domains, suggests a link farm used for SEO poisoning or traffic redirection. The ML classifier also strongly indicated maliciousness.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 4

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.com/pify?keyword=cbse+class+10+social+science+syllabus+2020+pdf
    • http://files.ilpofalaska.com/uploads/1/3/1/8/131871657/b85d0fd.pdf
    • http://files.balloontwistersdcvamd.com/uploads/1/3/0/9/130969375/gipagazovupibiz_tolokaduwimola.pdf
    • http://files.churchbeyondbelief.com/uploads/1/3/2/8/132814119/nunamusuw.pdf
    • http://files.markzurawinskimusic.com/uploads/1/3/1/6/131637562/d02eeb649f600.pdf
    • http://kinal.stevicosta.com/uploads/1/3/2/6/132682076/b688c91fe.pdf
    • https://cdn.shopify.com/s/files/1/0438/2107/2546/files/carmina_burana_letra.pdf
    • https://cdn.shopify.com/s/files/1/0431/0486/2374/files/97787009951.pdf
    • https://cdn.shopify.com/s/files/1/0430/5109/0077/files/cerebral_malaria_treatment.pdf
    • https://cdn.shopify.com/s/files/1/0437/0857/9993/files/tamil_nadu_map_download.pdf
    • https://cdn.shopify.com/s/files/1/0432/7673/0533/files/gegop.pdf
    • https://cdn.shopify.com/s/files/1/0431/9900/4831/files/bujara.pdf
    • https://cdn.shopify.com/s/files/1/0431/6790/8004/files/21177865213.pdf
    • https://cdn.shopify.com/s/files/1/0428/0962/2687/files/wujuwakasowopadiv.pdf
    • https://cdn.shopify.com/s/files/1/0433/7496/8986/files/cinematography_lighting_tutorials.pdf
    • https://cdn.shopify.com/s/files/1/0429/5596/4569/files/53040375259.pdf
    • https://cdn.shopify.com/s/files/1/0428/0100/4707/files/computer_all_course_name_list.pdf
    • https://cdn.shopify.com/s/files/1/0431/0830/3002/files/energia_eolica_definicion.pdf
    • https://cdn.shopify.com/s/files/1/0436/1604/3168/files/cognitive_behavioral_therapy_autism.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 5

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00008f92.bin
4734a0a0ee605527ce91ff9fe7218748205b2a1feb2c5ca5df52994d78935da5		 pdf-font-stream PDF embedded font (sfnt) at offset 0x8F92 5524 bytes
font_01_sfnt_off0000a270.bin
06917b0f29e6e0af92136f79cb02c75d9f6bb30eea93e32521e20bcd29437ab6		 pdf-font-stream PDF embedded font (sfnt) at offset 0xA270 6964 bytes
font_02_sfnt_off0000b642.bin
5a4eeb2b63c11f4a3d7da46bf5e9da9d2373503cba3f4582e13fc97c3db154f9		 pdf-font-stream PDF embedded font (sfnt) at offset 0xB642 10360 bytes
font_03_sfnt_off0000d9e7.bin
c1e6ffc75750c5739b28184ea098192487e1c360ff13057a509a4a6bbbe05e79		 pdf-font-stream PDF embedded font (sfnt) at offset 0xD9E7 17492 bytes
font_04_sfnt_off0000f374.bin
22ea939fffb1cf5ce6eb4cb383af19aed0e46e98ec471f324efae2056563655f		 pdf-font-stream PDF embedded font (sfnt) at offset 0xF374 4420 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.