Malicious PDF — malware analysis report

Static analysis result for SHA-256 db86a42d05688529…

MALICIOUS

PDF

41.6 KB Created: 2020-08-21 11:10:34 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: db206a8bbe264db67992094576c24248 SHA-1: 3a0e7dabece6a343495d930065167fa5ad675de5 SHA-256: db86a42d05688529afb0069751011dbdbe54eac602d1b38c2661a88b3a9926e0
152 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF file contains a critical heuristic firing for linking to known malicious redirector infrastructure. Additionally, it exhibits characteristics of a PDF link farm, with numerous embedded URLs pointing to external PDF files, likely for SEO manipulation or to host further malicious content. The ML classifier also strongly flagged this PDF as malicious. The primary malicious IOC is the redirector URL, which is likely used to funnel victims to a phishing or malware distribution site.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 4

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.ru/pify?keyword=alta+sierra+snow+report
    • http://files.kvag.net/uploads/1/3/1/1/131164425/nisofebifumaguto.pdf
    • http://ripemuxap.andrewjohnsart.com/uploads/1/3/0/7/130738696/7192731.pdf
    • http://files.theinnatraggededge.com/uploads/1/3/0/8/130874240/12c58bf09.pdf
    • http://files.justbecauseus.com/uploads/1/3/1/3/131383476/ratedobekovobor.pdf
    • http://files.westcountryswords.co.uk/uploads/1/3/0/8/130873717/1a9ceb0c.pdf
    • https://cdn.shopify.com/s/files/1/0429/1955/9335/files/37405731037.pdf
    • https://cdn.shopify.com/s/files/1/0431/3271/5163/files/11660773750.pdf
    • https://cdn.shopify.com/s/files/1/0437/8319/2727/files/57668706115.pdf
    • https://cdn.shopify.com/s/files/1/0428/9835/8432/files/xibirinadinabamagumib.pdf
    • https://cdn.shopify.com/s/files/1/0439/1357/6603/files/nitam.pdf
    • https://cdn.shopify.com/s/files/1/0432/3577/0535/files/borges_ficciones.pdf
    • https://cdn.shopify.com/s/files/1/0429/2801/3475/files/android_notification_auto_alert.pdf
    • https://cdn.shopify.com/s/files/1/0433/6094/4296/files/organic_chemistry_vollhardt.pdf
    • https://cdn.shopify.com/s/files/1/0428/4314/4355/files/2020_restricted_holidays_in_tamilnadu.pdf
    • https://cdn.shopify.com/s/files/1/0433/6861/1989/files/25722602506.pdf
    • https://cdn.shopify.com/s/files/1/0439/5306/2043/files/21846239202.pdf
    • https://cdn.shopify.com/s/files/1/0432/2931/5229/files/viwogorafilududoza.pdf
    • https://cdn.shopify.com/s/files/1/0439/0833/3736/files/binary_tree_javascript.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00006445.bin
d0f781097c20b43ee674508e89ccfad84125b6e659519a7cdd7786e21e4ee431		 pdf-font-stream PDF embedded font (sfnt) at offset 0x6445 4896 bytes
font_01_sfnt_off00007504.bin
405f5c0ba5dd41aad238d9c346d7bfdda83da0a35318d865cbd7541b45901ca2		 pdf-font-stream PDF embedded font (sfnt) at offset 0x7504 10632 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.