Malicious PDF — malware analysis report

Static analysis result for SHA-256 e5eb62b7d3368337…

MALICIOUS

PDF

48.5 KB Created: 2020-08-30 04:03:38 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: c0db30092ed669ec4562eecc936aba12 SHA-1: e52f22a0a2a0d0c39d36333a3fe68bc2773ad4ca SHA-256: e5eb62b7d3368337d87e98e602694f4403b652f0aa8461873349f1336ec3ad90
150 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF file contains numerous embedded links, with one prominent URL leading to a redirector. This redirector is associated with a keyword search for a PDF download, suggesting a lure to trick users into clicking the link. The presence of a "PDF_MALICIOUS_REDIRECTOR_LINK" heuristic firing further supports this, indicating the link points to known malicious infrastructure. The ML classifier also strongly flagged this PDF as malicious.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.cc/wix?keyword=estimating+in+building+construction+8th+edition+pdf+download
    • https://static.usrfiles.com/ugd/32acb1_d0d853f58e314b73ab95e7c1d9ceaac1.pdf
    • https://static.usrfiles.com/ugd/12f4eb_575d1537766b4ef985f065bfd1b8c25e.pdf
    • https://static.usrfiles.com/ugd/724fb5_8e24894121d84894a4daaeb27b936cba.pdf
    • https://static.usrfiles.com/ugd/d162e3_d9c53467336447419c7811c5c9c5027e.pdf
    • https://static.usrfiles.com/ugd/24853a_3100c4a2e8f543338f8f4bfe8e15d876.pdf
    • https://static.usrfiles.com/ugd/5b9365_4fa58b3d3b24467fb8f15adef6ba0eb6.pdf
    • https://static.usrfiles.com/ugd/b8c837_5efe5833b3c54858ac7df3b96a4a7ffc.pdf
    • https://static.usrfiles.com/ugd/b8c837_3747a899bcf04340a272ee1d411db89a.pdf
    • https://static.usrfiles.com/ugd/e8506d_940c161f6a614d68b92d360bda309d0d.pdf
    • https://static.usrfiles.com/ugd/d2cc1f_f28d80f43cc34d5f966cff1ebc744657.pdf
    • https://static.usrfiles.com/ugd/a59130_533c2c983133471594ced080ac1639ec.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00006785.bin
5d64c82933d69b368e80b2006616fc0dba5ea15b629b06a814762b7ef6cd8438		 pdf-font-stream PDF embedded font (sfnt) at offset 0x6785 5952 bytes
font_01_sfnt_off00007b9b.bin
49f1c345582212729590e0456707ca92d3838aef8cba26fbcaa28f8c5b0a0640		 pdf-font-stream PDF embedded font (sfnt) at offset 0x7B9B 2116 bytes
font_02_sfnt_off00008566.bin
50dccfc570d3cdee6ddb3dbcd27c068526e8d4d933f102c0c1cf6ded81355a5c		 pdf-font-stream PDF embedded font (sfnt) at offset 0x8566 15484 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.