Malicious PDF — malware analysis report

Static analysis result for SHA-256 fe51eca7686d0dac…

MALICIOUS

PDF

39.6 KB Created: 2020-09-09 01:22:28 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 00b60b9f4d6b52e4a6f10eb44cc61b50 SHA-1: c30f01d3d3900dc9638d16ecfa3e5ab81fa0c23b SHA-256: fe51eca7686d0dac51e915e1b10efa768bc1898f7ae781d0890f23397cf9827a
150 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF file contains numerous embedded links, with one specifically pointing to a known malicious redirector. The document body, though heavily obfuscated, contains text that appears to be a lure related to '2016 edition of journal citation reports', likely intended to trick users into clicking the malicious link. The ML classifier strongly indicates maliciousness, and the PDF_MALICIOUS_REDIRECTOR_LINK heuristic confirms the presence of a dangerous URL.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.club/wix?keyword=2016+edition+of+journal+citation+reports
    • https://static.usrfiles.com/ugd/221f3a_da9aed31a7fd425c99c045378ca690e4.pdf
    • https://static.usrfiles.com/ugd/0994f9_7dfe3e7cccd64301a03e07c4c025b468.pdf
    • https://static.usrfiles.com/ugd/ec0012_fab0d56fa57140e38df32b418ed2c20c.pdf
    • https://cdn.shopify.com/s/files/1/0448/6758/4162/files/kiloteradikilosur.pdf
    • https://cdn.shopify.com/s/files/1/0428/1512/7708/files/28346281698.pdf
    • https://cdn.shopify.com/s/files/1/0429/5340/8675/files/dabubugijo.pdf
    • https://cdn.shopify.com/s/files/1/0434/8064/5782/files/mozubupegatoxosuz.pdf
    • https://cdn.shopify.com/s/files/1/0433/0687/7080/files/salelixakibikiziz.pdf
    • https://cdn.shopify.com/s/files/1/0435/3681/0135/files/fexalebipatedidizebinof.pdf
    • https://cdn.shopify.com/s/files/1/0432/3350/9535/files/23796384810.pdf
    • https://cdn.shopify.com/s/files/1/0462/6015/8613/files/decimal_worksheet_for_5th_grade.pdf
    • https://cdn.shopify.com/s/files/1/0429/0635/3823/files/sibumowamixitagoferowisak.pdf
    • https://cdn.shopify.com/s/files/1/0459/6996/5216/files/10712159084.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00005a12.bin
7131f817529dcc869f5d1c95090579ed73d029f6a11231185f5acebd86ee404e		 pdf-font-stream PDF embedded font (sfnt) at offset 0x5A12 5612 bytes
font_01_sfnt_off00006d42.bin
40ec892e789acd428c6abe034741a7407f0230b2f2df46706d72472fb3503479		 pdf-font-stream PDF embedded font (sfnt) at offset 0x6D42 10956 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.