Malicious PDF — malware analysis report

Static analysis result for SHA-256 f12c1dd013e9cf54…

MALICIOUS

PDF

41.5 KB Created: 2020-08-05 01:36:26 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: befe446b74deac0a9823da1783a981ee SHA-1: ae3d075fa6b7448565b58d7167d9cb7f22d063ab SHA-256: f12c1dd013e9cf54ee1faf5e42c61fe27abbc7feb72d8b0c480c0f8d8f2ecade
150 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF file contains multiple embedded links, with one specifically identified as a malicious redirector. The document body, though heavily obfuscated, contains text related to 'printable blank monthly calendar pdf' and the malicious URL. This suggests a social engineering tactic to trick users into clicking the link, which then leads to malicious infrastructure. No scripts were extracted, and the primary malicious activity is link redirection.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.com/pify?keyword=printable+blank+monthly+calendar+pdf
    • http://kafix.mirrorpayroll.net/uploads/1/3/0/8/130814328/9527453.pdf
    • http://files.kayecameron.com/uploads/1/3/2/6/132681969/19a9ef427d85.pdf
    • http://files.jimpendergrass.com/uploads/1/3/2/8/132815961/xabixejeje-nenowapiwage-jisematonalon.pdf
    • https://cdn.shopify.com/s/files/1/0438/0930/8829/files/18920671525.pdf
    • https://cdn.shopify.com/s/files/1/0430/1488/1433/files/30907635199.pdf
    • https://cdn.shopify.com/s/files/1/0431/8229/3141/files/43522640114.pdf
    • https://cdn.shopify.com/s/files/1/0431/3061/8020/files/66623765027.pdf
    • https://cdn.shopify.com/s/files/1/0430/7173/3917/files/bobujizurev.pdf
    • https://cdn.shopify.com/s/files/1/0434/4152/0805/files/suxetokosusudir.pdf
    • https://cdn.shopify.com/s/files/1/0428/9835/8432/files/15138334831.pdf
    • https://cdn.shopify.com/s/files/1/0432/9232/8104/files/79539918706.pdf
    • https://cdn.shopify.com/s/files/1/0430/6678/5949/files/mowagakesipej.pdf
    • https://cdn.shopify.com/s/files/1/0440/6919/1832/files/tidijixu.pdf
    • https://cdn.shopify.com/s/files/1/0433/0304/3230/files/73472449164.pdf
    • https://cdn.shopify.com/s/files/1/0437/1791/8870/files/kali_linux_installation_guide.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000643e.bin
7e77f8cd1fe6a9f0a8285156c6d5f959cdb657d565322e648e5d798a835d8106		 pdf-font-stream PDF embedded font (sfnt) at offset 0x643E 5524 bytes
font_01_sfnt_off000076e6.bin
874450676efb21cbcb3d8acb41575ec9a3fbc8af2f2fae13be419ea60da3890c		 pdf-font-stream PDF embedded font (sfnt) at offset 0x76E6 10080 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.