Malicious PDF — malware analysis report

Static analysis result for SHA-256 f7deac05c11a09e2…

MALICIOUS

PDF

43.0 KB Created: 2020-09-01 05:13:10 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: bc8e5ce791d66648349c322ca07b6b9c SHA-1: d7b1efe09409c802fd5ca97d196cf38434b2edb6 SHA-256: f7deac05c11a09e2eccb33ae443b9500be6f278fba5045ca7aafe01ce4d3296b
150 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Phishing: Spearphishing Attachment T1059.001 Command and Scripting Interpreter: PowerShell T1204.002 Malicious Link

The PDF contains a link that redirects to a known malicious domain, identified by the PDF_MALICIOUS_REDIRECTOR_LINK heuristic. The document body, though heavily obfuscated, contains text related to 'acoustic guitar pickup' and the malicious URL, suggesting a lure. The PDF also contains a large number of external links, indicating a link farm strategy. No scripts were extracted from this sample.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.cc/wix?keyword=best+acoustic+guitar+pickup+for+live+performance
    • https://cdn.shopify.com/s/files/1/0427/6020/8540/files/54438178483.pdf
    • https://cdn.shopify.com/s/files/1/0437/7070/8125/files/wolupenekimujujerezux.pdf
    • https://cdn.shopify.com/s/files/1/0437/8011/2545/files/47696560178.pdf
    • https://static.usrfiles.com/ugd/01e791_12e25088d8c0418697515ed69c4463d4.pdf
    • https://static.usrfiles.com/ugd/625844_3e435a39de1a4f1385dc726c7e1462b0.pdf
    • https://static.usrfiles.com/ugd/c3548c_ad70026f978b44d1a5080b11845ce1a4.pdf
    • https://static.usrfiles.com/ugd/934fc3_ef14c2acc05d4f7e914ee3fb334a870d.pdf
    • https://static.usrfiles.com/ugd/b8c837_e8a7595f5f2a47f0b8b9fe17c4e4072b.pdf
    • https://static.usrfiles.com/ugd/b8c837_192c92c0d559484dac893d6c930670a3.pdf
    • https://static.usrfiles.com/ugd/2e16aa_4ac4514874b64f5fa13d81ca8d6f396d.pdf
    • https://static.usrfiles.com/ugd/277b62_424d3e3367ec4a3f888c81c73f265a5e.pdf
    • https://static.usrfiles.com/ugd/aef5b7_65d75825b46b49bba0a6ca71c855f0e7.pdf
    • https://static.usrfiles.com/ugd/9e53d4_597a53179bf946858ca207d6bd8d1d08.pdf
    • https://static.usrfiles.com/ugd/902d29_175536b3b04445599c95858840b63f66.pdf
    • https://static.usrfiles.com/ugd/b8c837_510266711ea44240aaaeddf1757f5147.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000069fa.bin
4edf8141456bdf79746b2427e92bae477c9bbb1a9d9b4ec232ca9fa0782cfb01		 pdf-font-stream PDF embedded font (sfnt) at offset 0x69FA 5508 bytes
font_01_sfnt_off00007cba.bin
0e9c7d52659c9d4771a37df8938c4f73c46fdd3597ad1e3131837a22ae1e0780		 pdf-font-stream PDF embedded font (sfnt) at offset 0x7CBA 10012 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.