Malicious PDF — malware analysis report

Static analysis result for SHA-256 ecad53aa306b3f34…

MALICIOUS

PDF

32.9 KB Created: 2020-08-13 15:32:17 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 06736c64edf9caae69b7428db7aded81 SHA-1: a14312c0ceb448ef1a328afe9a1a3bb7e4ef5e43 SHA-256: ecad53aa306b3f34f3e1a5d208d3d05a767a42b5deebb63babba869c239c5359
150 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF contains a large number of embedded links, with one identified as a malicious redirector. The heuristic PDF_SEO_LINK_FARM indicates a mass external PDF link farm, suggesting the document is designed to lure users to external sites. The ML_NYX_PDF_MALICIOUS classifier strongly supports the malicious nature of this PDF. No scripts were extracted from this sample.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.cc/pify?keyword=iscar+cutting+tools+catalogue+pdf
    • http://kopov.russaultmotorsports.com/uploads/1/3/0/7/130775085/7d3aeb.pdf
    • http://files.desertratfeatures.com/uploads/1/3/1/4/131452778/845e81e5882.pdf
    • http://files.hccvermillion.org/uploads/1/3/1/3/131397927/baniladesokadag.pdf
    • http://files.cea-alaska.org/uploads/1/3/1/4/131483108/lokatawufa_geromeje_dexexovowib_bojirut.pdf
    • https://cdn.shopify.com/s/files/1/0433/0687/7080/files/rikakaxudote.pdf
    • https://cdn.shopify.com/s/files/1/0434/6095/2229/files/31744643283.pdf
    • https://cdn.shopify.com/s/files/1/0434/8870/6717/files/les_coliformes_fcaux.pdf
    • https://cdn.shopify.com/s/files/1/0431/8694/6212/files/14619746964.pdf
    • https://cdn.shopify.com/s/files/1/0433/9420/3806/files/appsc_polytechnic_lecturers_notification_2020_syllabus.pdf
    • https://cdn.shopify.com/s/files/1/0433/3761/3461/files/60664214634.pdf
    • https://cdn.shopify.com/s/files/1/0433/0081/4998/files/gwent_cards_in_white_orchard.pdf
    • https://cdn.shopify.com/s/files/1/0433/5301/4423/files/vetutefo.pdf
    • https://cdn.shopify.com/s/files/1/0428/9835/8432/files/11067845032.pdf
    • https://cdn.shopify.com/s/files/1/0436/2718/4281/files/21501789496.pdf
    • https://cdn.shopify.com/s/files/1/0435/0076/5336/files/36491791668.pdf
    • https://cdn.shopify.com/s/files/1/0437/9141/7505/files/allen_aiims_major_test_series_2020.pdf
    • https://cdn.shopify.com/s/files/1/0434/6649/0006/files/20464775471.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00004568.bin
5d03f7dfd3fdfa6966524ed20e1c247832af24d6c0de2ca887698ca7a0577238		 pdf-font-stream PDF embedded font (sfnt) at offset 0x4568 5260 bytes
font_01_sfnt_off0000574e.bin
850bf81a8d1c178529a2af16785f4e5e735c3723ef36f858c08feaa17e80d0fb		 pdf-font-stream PDF embedded font (sfnt) at offset 0x574E 8732 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.