Malicious PDF — malware analysis report

Static analysis result for SHA-256 f1defde76d493b5c…

MALICIOUS

PDF

40.6 KB Created: 2020-08-31 15:19:54 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: aedba797f4ac0ab941c62885a171707e SHA-1: 5184c0b703303d16ade2d3e2bb1b50c619b4fa76 SHA-256: f1defde76d493b5cfd08f121a3ae064a317a334a4e391d2d761da00dd6dbbb45
150 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF file contains a link farm with multiple external links, one of which points to a known malicious redirector. The document body, though heavily obfuscated, contains the same malicious URL. This suggests the primary purpose is to lure users to malicious infrastructure. No scripts were extracted, limiting further analysis of the attack chain.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.ru/wix?keyword=manualidades+navide%25C3%25B1as+faciles+de+hacer+para+ni%25C3%25B1os
    • https://static.usrfiles.com/ugd/cb4a18_df8e1b00d9ca4ff092430fbd37ca5c56.pdf
    • https://static.usrfiles.com/ugd/b8c837_62d82fdcc5a845b485b2fa1305dc45c9.pdf
    • https://static.usrfiles.com/ugd/b8c837_309a309bfe6143808f7624433e6b85f0.pdf
    • https://static.usrfiles.com/ugd/69b86f_eb059e8a6628405086ba7c6fbbb94342.pdf
    • https://static.usrfiles.com/ugd/fd3290_6bb1b41a1c4d46d3b85736140cc85db1.pdf
    • https://static.usrfiles.com/ugd/b8c837_4beb8039afed4e47a032263a46b8e020.pdf
    • https://static.usrfiles.com/ugd/19103d_33e6cfe6c20f45e482fd0cc83f1c3c42.pdf
    • https://cdn.shopify.com/s/files/1/0433/9869/3022/files/tisexofupitabex.pdf
    • https://cdn.shopify.com/s/files/1/0432/2836/4968/files/pefog.pdf
    • https://cdn.shopify.com/s/files/1/0428/3518/1734/files/gavakusotesuzalinuzexi.pdf
    • https://cdn.shopify.com/s/files/1/0433/3171/5225/files/jagoxokunakos.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00005c0b.bin
560f3063a0f68813df587310f594b3dc1caa02e75cfecb50a75b33f32ce3b05c		 pdf-font-stream PDF embedded font (sfnt) at offset 0x5C0B 5520 bytes
font_01_sfnt_off00006e99.bin
db5812ffbcaa065b7a0d822aca869e7dc2acb2b1fd1d2cf17f2a12cd8fa2aa64		 pdf-font-stream PDF embedded font (sfnt) at offset 0x6E99 11684 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.