Malicious PDF — malware analysis report

Static analysis result for SHA-256 e71122e57630f662…

MALICIOUS

PDF

46.8 KB Created: 2020-08-31 11:26:39 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: a389bb7de7324bbd7dc113f1a37bf1fd SHA-1: 38b726c8ee0f7bb57b2ef8da492516991c61f8d4 SHA-256: e71122e57630f6627c8901dc1ef78caca664007b0e222ea151686822054f65b5
150 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF file contains a large number of embedded links, many of which point to a redirector service. The document body, though heavily obfuscated, contains text suggesting it is a 'workout log sheet' and includes a suspicious URL. The heuristic firings indicate the PDF is a malicious redirector and part of a link farm, strongly suggesting a phishing or redirection attempt.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.cc/wix?keyword=workout+log+sheet
    • https://static.usrfiles.com/ugd/b8c837_1a68b588fcee4f509b10402ac94df59f.pdf
    • https://static.usrfiles.com/ugd/696117_d2d9b44c76ef4c8d81e5d26da091a47b.pdf
    • https://static.usrfiles.com/ugd/3826db_e6d5f01d4e914da691287123d24f2959.pdf
    • https://static.usrfiles.com/ugd/b8c837_02dd6ffa13a441a082f6696bee891411.pdf
    • https://static.usrfiles.com/ugd/b8c837_ccf468dcf2bc49ac84922b3fc48405da.pdf
    • https://cdn.shopify.com/s/files/1/0450/3601/1678/files/9308604039.pdf
    • https://cdn.shopify.com/s/files/1/0432/3190/3902/files/voxelumofotetimeberoxegu.pdf
    • https://cdn.shopify.com/s/files/1/0429/7352/8213/files/67594949159.pdf
    • https://cdn.shopify.com/s/files/1/0439/4346/1032/files/arjun_reddy_movie_bgm_songs_free.pdf
    • https://cdn.shopify.com/s/files/1/0453/8662/9288/files/22198471772.pdf
    • https://cdn.shopify.com/s/files/1/0437/8905/8206/files/60566418429.pdf
    • https://cdn.shopify.com/s/files/1/0434/0717/9941/files/sibako.pdf
    • https://cdn.shopify.com/s/files/1/0437/2119/5669/files/dictionary_english_to_english_to_tamil.pdf
    • https://cdn.shopify.com/s/files/1/0432/3901/4562/files/vm_ic_time_synchronization_provider.pdf
    • https://cdn.shopify.com/s/files/1/0461/9144/4119/files/beforehand_information_in_a_sentence.pdf
    • https://cdn.shopify.com/s/files/1/0437/0779/3561/files/metronome_beats_apkpure.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00007bb5.bin
7d5eb09655d559db786781a20ff17d2019fc1eeb9c5dfd8298cf1c28c9e29cf6		 pdf-font-stream PDF embedded font (sfnt) at offset 0x7BB5 4816 bytes
font_01_sfnt_off00008c25.bin
f682cb4dedda62fd631e67c94f07a262706ba56cf4d2208580d84d78757b6186		 pdf-font-stream PDF embedded font (sfnt) at offset 0x8C25 10076 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.