Malicious PDF — malware analysis report

Static analysis result for SHA-256 f579e49d365ed51b…

MALICIOUS

PDF

45.0 KB Created: 2020-08-06 10:10:35 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: a6d0eff04beeb54f0f1503c7a0cae2bf SHA-1: 056a14d8cf676ca3e7eb1fa23a81e6b71f0a53e5 SHA-256: f579e49d365ed51ba3641a60e443e6c849b380afb48fc18c5db0b09b269c8f8e
150 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF contains numerous embedded links, with one specifically pointing to a known malicious redirector. The document body, though heavily obfuscated, contains the URL that is also present in the heuristic firing. This suggests the document's primary purpose is to redirect users to malicious infrastructure, likely for further exploitation or phishing. No scripts were extracted, limiting the analysis of direct execution capabilities.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.ru/pify?keyword=ages+problems+shortcuts+and+tricks+pdf
    • http://files.rams-doc.co.uk/uploads/1/3/0/7/130740149/mepev.pdf
    • http://files.studiodeceramiqueartvm.com/uploads/1/3/1/4/131409498/1b9e6fe.pdf
    • http://files.metalmeltdown.com/uploads/1/3/0/7/130775755/36f932b68a.pdf
    • https://cdn.shopify.com/s/files/1/0431/7937/6798/files/tom_petty_discography_download.pdf
    • https://cdn.shopify.com/s/files/1/0429/3050/3846/files/borojuboj.pdf
    • https://cdn.shopify.com/s/files/1/0434/1478/2103/files/paladomudes.pdf
    • https://cdn.shopify.com/s/files/1/0429/0894/2492/files/shotgun_reloading_data.pdf
    • https://cdn.shopify.com/s/files/1/0430/5325/2757/files/ganimo.pdf
    • https://cdn.shopify.com/s/files/1/0433/0697/5382/files/87497262102.pdf
    • https://cdn.shopify.com/s/files/1/0434/5951/0425/files/moviestarplanet_hack_no_survey_2016.pdf
    • https://cdn.shopify.com/s/files/1/0435/3431/9776/files/watazepaza.pdf
    • https://cdn.shopify.com/s/files/1/0430/0367/4785/files/povotinatuditab.pdf
    • https://cdn.shopify.com/s/files/1/0427/6482/8838/files/github_install_git.pdf
    • https://cdn.shopify.com/s/files/1/0429/2483/4982/files/nurixiloti.pdf
    • https://cdn.shopify.com/s/files/1/0431/9330/3204/files/49675760249.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00006280.bin
2e1c7d8a9182ef2ac7ebe8761add3c1d888a511c6ca415d14f6035aef6a44e3c		 pdf-font-stream PDF embedded font (sfnt) at offset 0x6280 5644 bytes
font_01_sfnt_off0000758c.bin
101cf86c7c39aef31486589cf5a6edbc50444acc8774bff1c50871c63db8c48b		 pdf-font-stream PDF embedded font (sfnt) at offset 0x758C 10372 bytes
font_02_sfnt_off000098e9.bin
ff5f0ef16caf3e97cd1984b3a03ea88e11eab8cf63d2ee006085a4b9995833f3		 pdf-font-stream PDF embedded font (sfnt) at offset 0x98E9 4324 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.