Malicious PDF — malware analysis report

Static analysis result for SHA-256 ecba70f1d1a39556…

MALICIOUS

PDF

30.4 KB Created: 2020-08-29 05:33:14 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: a2e03683819e3e05becb970af1c007bc SHA-1: bb2dc7ee4c38449d5ac0362cf134c6d04f6a2c2c SHA-256: ecba70f1d1a395565cd09f75a2d95229756ef96a1f88361e38cc91aae39acb43
150 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF contains a link disguised as a product manual, which redirects to a known malicious domain. The PDF also contains a large number of external links, many of which point to benign content, suggesting a link farm or SEO poisoning tactic. The ML classifier strongly indicates maliciousness. No scripts were extracted, but the primary attack vector is the malicious redirector link.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.cc/wix?keyword=delonghi+magnum+radiator+heater+manual
    • https://static.usrfiles.com/ugd/b8c837_4db56a3895fa4965a81bf66695c320eb.pdf
    • https://static.usrfiles.com/ugd/b8c837_4e1ead65e6914f5ca61070ed010f43bc.pdf
    • https://static.usrfiles.com/ugd/b8c837_1c3812dcd03c437c93619d82f49a012a.pdf
    • https://static.usrfiles.com/ugd/b8c837_07fff8613603400091fccc9ee53c5e35.pdf
    • https://static.usrfiles.com/ugd/b8c837_5be3f9a172cd4177b11731fd3b77c14b.pdf
    • https://cdn.shopify.com/s/files/1/0430/2359/7725/files/dizotiraxosegedosovavapa.pdf
    • https://cdn.shopify.com/s/files/1/0429/9482/7415/files/fomajaxivugoger.pdf
    • https://cdn.shopify.com/s/files/1/0431/2976/6039/files/8335311176.pdf
    • https://cdn.shopify.com/s/files/1/0432/7381/4182/files/zisisekonisutog.pdf
    • https://cdn.shopify.com/s/files/1/0430/7176/6695/files/10116278170.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00003ddf.bin
f25fa898e2d56eb4f849df73c950a18bd0196e60fd92e0d6706e557e2a7d2c31		 pdf-font-stream PDF embedded font (sfnt) at offset 0x3DDF 5060 bytes
font_01_sfnt_off00004ee1.bin
f39ce29e58cb01d92fa3d2301c14751f0fb7c83231a45a118c210f4b9f8f5b1b		 pdf-font-stream PDF embedded font (sfnt) at offset 0x4EE1 8976 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.