Malicious PDF — malware analysis report

Static analysis result for SHA-256 e151d0a747ec505a…

MALICIOUS

PDF

39.8 KB Created: 2020-09-09 08:47:31 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: aef7f7604964e99b04daf40490af96ed SHA-1: 6fe6fe4e6143c290cc0d705a189fc81d2720408c SHA-256: e151d0a747ec505a1777c545f02d97eaa6c56ce3a2d0bea646f9ecaf581328ba
150 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF contains a link farm designed to appear as legitimate resources, but the primary link redirects to malicious infrastructure. The heuristic PDF_MALICIOUS_REDIRECTOR_LINK confirms this redirection. The document body, though heavily obfuscated, contains the text 'Best powerpoint templates free for students' and the malicious URL, indicating a lure for users to click the link. No scripts were extracted from this sample.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.me/pify?keyword=best+powerpoint+templates+free+for+students
    • https://cdn.shopify.com/s/files/1/0431/6296/0023/files/96921675615.pdf
    • https://cdn.shopify.com/s/files/1/0435/0961/2712/files/54883639025.pdf
    • https://cdn.shopify.com/s/files/1/0428/1021/2518/files/excel_repeat_last_action.pdf
    • https://cdn.shopify.com/s/files/1/0433/1739/5614/files/sidegize.pdf
    • https://cdn.shopify.com/s/files/1/0429/0406/0071/files/21656552183.pdf
    • https://cdn.shopify.com/s/files/1/0432/4986/0765/files/71097834638.pdf
    • https://cdn.shopify.com/s/files/1/0437/5796/1374/files/bruel_and_kjaer_2250_light_manual.pdf
    • https://cdn.shopify.com/s/files/1/0430/5672/6170/files/19145748370.pdf
    • https://static.usrfiles.com/ugd/f2c1dc_2349ced98f9e47efb251b8d24d04e118.pdf
    • https://static.usrfiles.com/ugd/1c8c1e_ab1c39c4361443748fca27060a84f9ac.pdf
    • https://static.usrfiles.com/ugd/1ee69b_d5aa84d879de4169bbf9ffacb7c5f251.pdf
    • https://static.usrfiles.com/ugd/735189_ea46a5d71f6f45b4b084f47d7e14a80d.pdf
    • https://static.usrfiles.com/ugd/e643da_f790b1bfed894a62aa7f80cf0ac51697.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00005e5d.bin
ae486a389131e68bbd27a5b917bc07d0ad8511f59fd84088fb608d1c5f10dfbf		 pdf-font-stream PDF embedded font (sfnt) at offset 0x5E5D 5328 bytes
font_01_sfnt_off00007078.bin
b483dfa9eec8de6eff97661c7396451e29c2419b359f16e18708f79764f1ce02		 pdf-font-stream PDF embedded font (sfnt) at offset 0x7078 9888 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.