Malicious PDF — malware analysis report

Static analysis result for SHA-256 f1665001eda6a7f5…

MALICIOUS

PDF

48.9 KB Created: 2020-08-25 00:59:25 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 9acfb8efb5d62755341372333059034e SHA-1: 52617e8139fde532d94d712f8c51e1ae94a0c8aa SHA-256: f1665001eda6a7f56da9c67b366bf886f9ec7edfd536d424dac6f3fdd95992da
150 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF file contains a heuristic firing indicating it links to known malicious redirector infrastructure, specifically a URL related to 'new whatsapp status animated video'. It also exhibits characteristics of a link farm, with numerous external PDF links, many hosted on cdn.shopify.com. The ML classifier strongly flagged this PDF as malicious. The primary IOC is the redirector URL, which is likely used to funnel victims to a malicious site.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.com/pify?keyword=new+whatsapp+status+animated+video
    • http://files.staplesmotleyfoundation.org/uploads/1/3/1/4/131437750/gifonoxujabawig.pdf
    • https://cdn.shopify.com/s/files/1/0428/9468/8419/files/management_organizational_behaviour_mullins.pdf
    • https://cdn.shopify.com/s/files/1/0440/6145/8597/files/92553055679.pdf
    • https://cdn.shopify.com/s/files/1/0434/7517/3528/files/nibemojaxireduwinonapa.pdf
    • https://cdn.shopify.com/s/files/1/0434/3509/8264/files/linokul.pdf
    • https://cdn.shopify.com/s/files/1/0432/3013/4427/files/popagesido.pdf
    • https://cdn.shopify.com/s/files/1/0430/7720/6167/files/file_ko_cho_in.pdf
    • https://cdn.shopify.com/s/files/1/0435/0646/6982/files/va_form_21-_0845.pdf
    • https://cdn.shopify.com/s/files/1/0439/1947/4856/files/85738633391.pdf
    • https://cdn.shopify.com/s/files/1/0434/0642/6266/files/costcochecks._com_guide5.pdf
    • https://cdn.shopify.com/s/files/1/0434/3355/8182/files/zusesalogiko.pdf
    • https://cdn.shopify.com/s/files/1/0427/4916/5734/files/96015452003.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 4

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00005079.bin
6760d10c474a37e655a30047baaa064d02851126f77536ca15bd39b9e0901c7d		 pdf-font-stream PDF embedded font (sfnt) at offset 0x5079 5192 bytes
font_01_sfnt_off0000620e.bin
068e73d24df12eb2519290eebcf6aa28ee18d83448117a85f98179b7ab42571c		 pdf-font-stream PDF embedded font (sfnt) at offset 0x620E 6760 bytes
font_02_sfnt_off00007a0d.bin
d23a7d4c46bbe0e6a2bd38d05da5ea2dbe821dcc5f076823f971012dd026871f		 pdf-font-stream PDF embedded font (sfnt) at offset 0x7A0D 9928 bytes
font_03_sfnt_off00009c3b.bin
02e9c38542371fd8f55f57ef9670ee232cb4f2094404f121626c638ab5e608b4		 pdf-font-stream PDF embedded font (sfnt) at offset 0x9C3B 18328 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.