Malicious PDF — malware analysis report

Static analysis result for SHA-256 d7bb78c0b63a363c…

MALICIOUS

PDF

43.4 KB Created: 2020-08-14 18:30:26 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: adaffd09e1b9516456d3625fd3371fe6 SHA-1: ffa30f62e4c419fefc5993a340e9d5bc9c41a240 SHA-256: d7bb78c0b63a363c19809958a97b49551fd1de84d57f63ee0fbbfe56c1511206
150 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF contains a significant number of embedded links, with one identified as a malicious redirector. The heuristic PDF_SEO_LINK_FARM indicates a mass external link farm, suggesting an attempt to distribute malicious content or SEO abuse. The ML classifier strongly flags this PDF as malicious. No scripts were extracted, but the presence of numerous links points to a delivery mechanism for further malicious activity.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.cc/pify?keyword=parked+page+template
    • http://files.zudane.com/uploads/1/3/0/7/130775131/1ce7e3a06.pdf
    • http://files.easyway-it.com/uploads/1/3/1/0/131070579/tewetomo.pdf
    • http://files.townofgeraldineal.com/uploads/1/3/1/4/131407057/8a64304.pdf
    • http://files.pickleandwink.com/uploads/1/3/2/6/132681456/vizovej-zagonaropubumi.pdf
    • https://cdn.shopify.com/s/files/1/0431/8609/4229/files/duxil.pdf
    • https://cdn.shopify.com/s/files/1/0429/1559/4393/files/jufuzame.pdf
    • https://cdn.shopify.com/s/files/1/0431/5699/6260/files/59361563107.pdf
    • https://cdn.shopify.com/s/files/1/0434/5239/9773/files/11257065899.pdf
    • https://cdn.shopify.com/s/files/1/0429/8578/3455/files/slope_intercept_form_word_problems_wkst._answers.pdf
    • https://cdn.shopify.com/s/files/1/0435/8589/6609/files/los_libros_apocrifos_de_la_biblia.pdf
    • https://cdn.shopify.com/s/files/1/0428/5772/6118/files/noteberagemonavew.pdf
    • https://cdn.shopify.com/s/files/1/0430/5915/1009/files/nawinep.pdf
    • https://cdn.shopify.com/s/files/1/0433/5868/3291/files/25959136728.pdf
    • https://cdn.shopify.com/s/files/1/0432/5395/6758/files/35378773692.pdf
    • https://cdn.shopify.com/s/files/1/0432/7197/9172/files/87572040504.pdf
    • https://cdn.shopify.com/s/files/1/0431/7665/7051/files/gradle_5._4._1.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00006469.bin
ca5e8c8ae4c2f55c5b6c7d8b3b6a6b808f080ee5c7558d15325d50c269408ab5		 pdf-font-stream PDF embedded font (sfnt) at offset 0x6469 5168 bytes
font_01_sfnt_off000075e7.bin
f978eb97a3cc9c1db9a1677a5bd5091fb3f39f078cc217c3dab38b2368f658e9		 pdf-font-stream PDF embedded font (sfnt) at offset 0x75E7 13768 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.