Malicious PDF — malware analysis report

Static analysis result for SHA-256 dc7d7cc6103953b9…

MALICIOUS

PDF

51.7 KB Created: 2020-09-19 00:49:26 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: a928141c6af0ecbc8e39ee01fc4c6863 SHA-1: 9283bcccff21591bd8360cc0a6b4adb14be4c02a SHA-256: dc7d7cc6103953b9b2048c105daefa5f4c4b0b404479880cfe291003e4e23feb
150 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF file contains numerous embedded links, with one specifically identified as a malicious redirector. The document body, though partially corrupted, contains text related to a product review, suggesting a lure to entice users to click the malicious link. The ML classifier also strongly indicated maliciousness.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.link/wix?keyword=behringer+xenyx+302usb+mixer+review
    • http://paxal.lindseybarlagthornton.com/uploads/1/3/0/7/130776063/140695.pdf
    • http://files.katieeberts.com/uploads/1/3/1/1/131163617/942aeb94f10a911.pdf
    • http://fetono.mmeramirez.com/uploads/1/3/1/6/131606165/b7b4b.pdf
    • http://winur.livitup4kids.com/uploads/1/3/1/4/131483229/xibafoje_lupexuwipu_ritorizaba_jugiziwotezopu.pdf
    • http://files.twfd46ny.com/uploads/1/3/1/6/131636655/davoziwi.pdf
    • http://files.oasisinhuntingdon.com/uploads/1/3/2/6/132682585/8651662.pdf
    • https://57ac3a20-ac83-4f78-b69d-f7631f5a3a5a.filesusr.com/ugd/c7ef1a_000d6982842f4726b85352a1f52f769e.pdf?index=true
    • https://874d2fe7-bfb3-4c45-b4e4-07c639129e2e.filesusr.com/ugd/ee4d88_fd33d4b4086c41628e3de7af8ea847c2.pdf?index=true
    • https://f9c833f6-9cc1-46ef-98dc-ebfa7191f436.filesusr.com/ugd/6fd45c_3959ebaaea714cd19fd3c4bf9ae0bb5e.pdf?index=true
    • https://060e53a4-8abf-45a7-9a48-0eb50cd84bff.filesusr.com/ugd/c79b1c_d5a7f155e5894a7c9ed19a8ae08771ca.pdf?index=true
    • https://7898e8e9-666d-42f7-a680-232f9fa8a071.filesusr.com/ugd/704566_4af18b64cff44999ae0a4efc30816241.pdf?index=true
    • https://cdn.shopify.com/s/files/1/0429/6045/3785/files/serum_protein_electrophoresis_patterns.pdf
    • https://cdn.shopify.com/s/files/1/0437/4052/8792/files/remipewi.pdf
    • https://cdn.shopify.com/s/files/1/0435/2350/6327/files/antress_modern_plugins_64_bit.pdf
    • https://cdn.shopify.com/s/files/1/0429/9948/0473/files/77934435836.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000884f.bin
71e00e3aa3efc250da328554956c2e5add57f38f9af281ad6b6c84555c894cad		 pdf-font-stream PDF embedded font (sfnt) at offset 0x884F 5804 bytes
font_01_sfnt_off00009c0b.bin
47971c9ca5d5eca7a4ca7a47855624f08ed3755eecbda39006ff9a020f371f9b		 pdf-font-stream PDF embedded font (sfnt) at offset 0x9C0B 11152 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.