Malicious PDF — malware analysis report

Static analysis result for SHA-256 f78a9802ca5208f7…

MALICIOUS

PDF

51.7 KB Created: 2020-09-03 19:06:32 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: a8698bd528281441f5fe239ed90a94ad SHA-1: c395e6f4247ca41e0a3ce09a1513efef7282007f SHA-256: f78a9802ca5208f70a3cb5d17817da0c49d4fb24e56ada46485fd63be079837d
150 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF contains a large number of embedded links, constituting a link farm, with one specific URL identified as a malicious redirector. The ML classifier also strongly indicated maliciousness. No scripts were extracted, but the presence of the malicious redirector suggests a phishing or malware distribution attempt.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.club/wix?keyword=hue+go+quick+start+guide
    • https://cdn.shopify.com/s/files/1/0433/0687/7080/files/51439980706.pdf
    • https://cdn.shopify.com/s/files/1/0427/9861/2636/files/52969587003.pdf
    • https://cdn.shopify.com/s/files/1/0435/1016/9759/files/29473974327.pdf
    • https://cdn.shopify.com/s/files/1/0454/6284/7640/files/57486629151.pdf
    • https://cdn.shopify.com/s/files/1/0437/3820/2273/files/chogada_tara_garba_whatsapp_status.pdf
    • https://cdn.shopify.com/s/files/1/0434/6085/3920/files/junetiva.pdf
    • https://cdn.shopify.com/s/files/1/0465/5372/7126/files/elements_and_principles_of_art_matrix_worksheet.pdf
    • https://cdn.shopify.com/s/files/1/0439/8641/9870/files/barriers_to_communication_in_counselling.pdf
    • https://cdn.shopify.com/s/files/1/0433/0687/7080/files/25618010541.pdf
    • https://cdn.shopify.com/s/files/1/0435/5801/1035/files/mercedes_glb_2020_preisliste.pdf
    • https://cdn.shopify.com/s/files/1/0438/4777/8469/files/kenmore_elite_side_by_side_manual.pdf
    • https://cdn.shopify.com/s/files/1/0435/7410/0127/files/rolokom.pdf
    • https://static.usrfiles.com/ugd/a421e3_e20cf2d68f6d4252a66c84ac03594a7c.pdf
    • https://static.usrfiles.com/ugd/a891c0_ed584fce1c1c49049a2f96d4f4eeef0e.pdf
    • https://static.usrfiles.com/ugd/7c30af_779d6cfe04b44c06b4e68916b541a4b1.pdf
    • https://static.usrfiles.com/ugd/1849a1_c7efe2330c034b68a22c2e8f95491350.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000083c2.bin
a3b1d87d11d144eda1c0e2865e4dea1fe5480d03c3b42f223d2b67d634dacf19		 pdf-font-stream PDF embedded font (sfnt) at offset 0x83C2 5228 bytes
font_01_sfnt_off00009598.bin
d1089d7b2c3d1d63b85ac45291d3297cf923129eb70808033e73267e9c281d77		 pdf-font-stream PDF embedded font (sfnt) at offset 0x9598 13972 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.