Malicious PDF — malware analysis report

Static analysis result for SHA-256 dab84b27c3aaac07…

MALICIOUS

PDF

46.1 KB Created: 2020-08-24 14:29:09 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: bfa4eb70b5ce250e28c7e95015b49845 SHA-1: ecacab9200f5f1ba85bd79c59c5d8048abbf74a4 SHA-256: dab84b27c3aaac07620ab648b0b2ce6657d63d1fa2a5b6670509e3327432c95f
150 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF contains a malicious redirector link disguised as a BIOS update notification, aiming to trick the user into clicking it. The document body, though heavily obfuscated, contains the target URL and references to a BIOS update. The PDF also hosts a large number of external links, many pointing to Shopify, likely as part of a link farm to improve SEO for malicious content. The ML classifier strongly flagged this PDF as malicious.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.cc/pify?keyword=update+bios+gigabyte+ga-+h61m-+s2p
    • http://files.roverchaseacademy.com/uploads/1/3/0/7/130775838/142fdec1.pdf
    • http://gakekedu.mooresgreenhouse.net/uploads/1/3/0/7/130739777/2670972.pdf
    • https://cdn.shopify.com/s/files/1/0438/9024/5787/files/88897708449.pdf
    • https://cdn.shopify.com/s/files/1/0439/3458/0891/files/sonizanonena.pdf
    • https://cdn.shopify.com/s/files/1/0431/8475/0747/files/79498631835.pdf
    • https://cdn.shopify.com/s/files/1/0432/7319/1588/files/86072888677.pdf
    • https://cdn.shopify.com/s/files/1/0437/6900/4190/files/karawoxagovatelulide.pdf
    • https://cdn.shopify.com/s/files/1/0431/8828/9696/files/63551861045.pdf
    • https://cdn.shopify.com/s/files/1/0431/1695/3751/files/ballot_paper_2020.pdf
    • https://cdn.shopify.com/s/files/1/0435/6354/8831/files/vetiditazivitewubegaliwa.pdf
    • https://cdn.shopify.com/s/files/1/0435/5378/3967/files/venus_in_furs.pdf
    • https://cdn.shopify.com/s/files/1/0428/9835/8432/files/1261535930.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • https://cdn.shopify.com/s/files/1/0428/9835/84

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000571f.bin
5dfc4758ad44ebc48c3775101f20851c8e2ef64ca4d18918cf441e8d51cc2e47		 pdf-font-stream PDF embedded font (sfnt) at offset 0x571F 5848 bytes
font_01_sfnt_off00006aef.bin
a98bf1f3e9117c0c36283a4df10a56324520ebf1317945778e9ae66d6af79e89		 pdf-font-stream PDF embedded font (sfnt) at offset 0x6AEF 7228 bytes
font_02_sfnt_off00007e06.bin
214b4f622e3029fb367361b931fdb741bf2ddd6948d1668a7574c6ce106029dc		 pdf-font-stream PDF embedded font (sfnt) at offset 0x7E06 14352 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.