Malicious PDF — malware analysis report

Static analysis result for SHA-256 fb46e95f35bc66ed…

MALICIOUS

PDF

51.5 KB Created: 2020-09-21 05:16:07 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 04c2d15e28a9d7fa486855fd3eb9b770 SHA-1: dd95ffb8f37c2cec6900939318c2ef97efe4be25 SHA-256: fb46e95f35bc66edaa678e3446ee8df22d2e0ce65fde8fc4c92a2e6581d955e8
150 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF contains a link that redirects to a known malicious domain, identified by the PDF_MALICIOUS_REDIRECTOR_LINK heuristic. Additionally, the PDF exhibits characteristics of a link farm, as indicated by the PDF_SEO_LINK_FARM heuristic, suggesting an attempt to generate traffic or distribute content through numerous links. The ML_NYX_PDF_MALICIOUS heuristic further supports the malicious classification. The document body, though heavily obfuscated, contains the primary malicious URL, indicating a lure to a potentially harmful site.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.me/wix?keyword=a+mother+prayer+for+her+daughter+poem
    • http://files.mrgshouse.com/uploads/1/3/0/7/130776601/litilasujijabeli.pdf
    • http://lideduv.benjaminhoffman.org/uploads/1/3/1/4/131483214/tegogibasofinar_kowikajadukix_bilukenoni_kisorezo.pdf
    • http://files.afpbstore.com/uploads/1/3/1/6/131637211/9191868.pdf
    • http://files.bigkidcollector.com/uploads/1/3/2/3/132303245/4243383.pdf
    • http://puvofizu.pjobrienbmx.com/uploads/1/3/1/3/131380485/4878557.pdf
    • http://files.mmandmcatering.com/uploads/1/3/1/1/131163872/lupeleg.pdf
    • http://felavasa.periscopedigital.com.au/uploads/1/3/0/8/130813042/powefufazigeki.pdf
    • https://404ef48d-8f19-49db-bbf1-9684a92f33ea.filesusr.com/ugd/8ade13_5512f066581647f699e10faa404f4dbd.pdf?index=true
    • https://9c87e127-5430-46f4-a841-de36024fa173.filesusr.com/ugd/ce14f3_d402f9bb2a7845bcbd18c86e73286124.pdf?index=true
    • https://b154fdd6-a395-4ba3-bd95-8b93cab27991.filesusr.com/ugd/d3758e_ad7cb242409a49479810ebc646df6050.pdf?index=true
    • https://287a9a1b-26d5-48f9-9859-64cefc0cd50b.filesusr.com/ugd/6812d7_5a53d98178c74ac783f754784c3f18e0.pdf?index=true
    • https://53010ff1-11b9-43e1-8a86-6c3cd4bf3dce.filesusr.com/ugd/173616_61b50bd800f744b0b87c4adfd5fc00f0.pdf?index=true
    • https://4b321a9e-235a-4593-b156-38036473f6ba.filesusr.com/ugd/fc840b_796b217f55e047faa99273aa9ed253a5.pdf?index=true
    • https://81b6fa0c-94dc-4717-bacb-9e53f1a14f0d.filesusr.com/ugd/98857b_d4c258f35c2c4d51936752ccc9522f9b.pdf?index=true
    • https://b50f4a46-8a6d-4dc1-a337-9ddc46753c49.filesusr.com/ugd/e9cba9_fd14d09abc89477fbc1fb378f9acf5a1.pdf?index=true
    • https://10705d09-f9a1-45fe-bca6-88995646c5ba.filesusr.com/ugd/ca847e_a13a96180a4849ee84ef3865003f624f.pdf?index=true
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00007fc7.bin
d026195c4df0983f7b694accbda6372f1f003ed88ee86ca8232b540af9692e74		 pdf-font-stream PDF embedded font (sfnt) at offset 0x7FC7 5064 bytes
font_01_sfnt_off00009103.bin
5ff16702ec1bfdf2ac4c955ab5b85ed275d965c107393ca65e5ed31747dbea8a		 pdf-font-stream PDF embedded font (sfnt) at offset 0x9103 9976 bytes
font_02_sfnt_off0000b30b.bin
d1f4a20f0e35a0564be54678b929bb8c711862c507f070c2b9a6abea8daf4378		 pdf-font-stream PDF embedded font (sfnt) at offset 0xB30B 4324 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.