Malicious PDF — malware analysis report

Static analysis result for SHA-256 f2a85eea17e0e275…

MALICIOUS

PDF

42.1 KB Created: 2020-08-23 07:20:38 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: f425801c2a5890d2df21896fc69e32bd SHA-1: 3edc36e345cd17a26b6b6e7658972cfa86e7f2a5 SHA-256: f2a85eea17e0e275d833e74d23d9f3f30cf6674a6ff1737a75330d24a6fb25d8
152 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF contains embedded links that lead to a redirector service, which in turn points to other URLs. The document body text, though partially corrupted, includes keywords related to a datasheet and the malicious URL. The PDF_MALICIOUS_REDIRECTOR_LINK heuristic confirms the presence of links to known malicious infrastructure, and the ML classifier strongly indicates maliciousness.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 4

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.com/pify?keyword=dell+latitude+5400+cto+datasheet+pdf
    • http://files.islandqueenproductions.com/uploads/1/3/1/4/131453989/puxonimevewu_norun.pdf
    • http://zexewov.atasteofanglia.com/uploads/1/3/2/7/132741194/9548863.pdf
    • https://cdn.shopify.com/s/files/1/0438/4748/3557/files/vilros_raspberry_pi_user_guide.pdf
    • https://cdn.shopify.com/s/files/1/0428/9835/8432/files/91960476686.pdf
    • https://cdn.shopify.com/s/files/1/0434/6085/3920/files/cpc_practice_exam.pdf
    • https://cdn.shopify.com/s/files/1/0431/1928/0288/files/78701392808.pdf
    • https://cdn.shopify.com/s/files/1/0434/9621/0594/files/big_blue_bus_8.pdf
    • https://cdn.shopify.com/s/files/1/0433/8846/9398/files/kilawoteliwosuba.pdf
    • https://cdn.shopify.com/s/files/1/0436/9930/6648/files/actaris_sl7000.pdf
    • https://cdn.shopify.com/s/files/1/0427/8861/8396/files/mogejorisagisosaruz.pdf
    • https://cdn.shopify.com/s/files/1/0434/5459/5224/files/34924866231.pdf
    • https://cdn.shopify.com/s/files/1/0438/5210/3842/files/gebavavegomadixik.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00006377.bin
bfb4157a092109e09e4bc4fbdda6d35d1d54149a8407ea43e16de240289bc1aa		 pdf-font-stream PDF embedded font (sfnt) at offset 0x6377 5500 bytes
font_01_sfnt_off00007630.bin
a6123fda1fe3c9398a77afff0891a830d76b64b2ff78a20dcf729b447ed1868e		 pdf-font-stream PDF embedded font (sfnt) at offset 0x7630 10928 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.