Malicious PDF — malware analysis report

Static analysis result for SHA-256 002b3f6c7f976458…

MALICIOUS

PDF

45.8 KB Created: 2020-09-17 08:47:06 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: b0e6adcaf6aa56e1d17cdd4de162d862 SHA-1: 29fdaaa341d315f4a8aaa1261c96986f6a02bb5a SHA-256: 002b3f6c7f976458cd58e0799a36ec7e8fc5622f0d5a00e6c6e4708fc93f5963
154 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

This PDF document contains a mass of external links, including a critical link to a known malicious redirector at https://ttraff.club/wix?keyword=piecewise+defined+functions+worksheet+answers. The document body, though heavily obfuscated, appears to contain references to educational content, likely a lure to encourage clicks on the malicious links. The presence of numerous PDF links suggests a link farm or a method to distribute further malicious content.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 4

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.club/wix?keyword=piecewise+defined+functions+worksheet+answers
    • http://mekinew.buckyd.com/uploads/1/3/1/4/131453648/numabenoze_vawurifoduxa_gofeliwumudero_xagigekonas.pdf
    • http://teligur.blink-fx.com/uploads/1/3/1/0/131069934/kifami_xikavidizu_mugaz.pdf
    • http://files.yogainfo.ca/uploads/1/3/0/9/130969428/kiwesen.pdf
    • http://files.nsksstaffers.com/uploads/1/3/1/6/131606563/758bbd.pdf
    • http://files.verdantmindandbody.com/uploads/1/3/2/6/132682564/rodudubomo_romakedup_midusiseginag_zenuj.pdf
    • http://pefamisu.mrsosterberg.com/uploads/1/3/0/7/130740151/657fdf073.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://6b645744-04d8-4db8-a79d-46154a4a8d06.filesusr.com/ugd/5ed537_cee67b98451b48988db332eca6820d04.pdf?index=true
    • https://fa253351-77c3-4fcb-ab54-0fc4589c4e67.filesusr.com/ugd/c4f63d_b9c3ad42638940ba9cdc459ddf0cf4ab.pdf?index=true
    • https://23df3ec4-c34d-4236-aed6-670f5be0ccfc.filesusr.com/ugd/ad2ade_d27fd6bbe42b43a1aef844394d9c3203.pdf?index=true
    • https://c6bf98a4-4576-4888-87ca-96f4622d8bcf.filesusr.com/ugd/9cb112_e685c98285174b3e8e5c11186b854888.pdf?index=true
    • https://27a023a7-4550-4e2a-b886-4a8b2ffabe23.filesusr.com/ugd/bba345_e034081784e1497a9f227de2fa92cf41.pdf?index=true
    • https://187716eb-d9d9-4a43-86ed-b3411fbbfa63.filesusr.com/ugd/314c35_d207700aff85463daa58dadb79315203.pdf?index=true
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000064bb.bin
6b0461efdee968fba7a76ba223e1953924522413ea1414cbb43a77e5c2188980		 pdf-font-stream PDF embedded font (sfnt) at offset 0x64BB 5232 bytes
font_01_sfnt_off0000769b.bin
f6504091ac67f3c727083988bdce0c26ccbf886211a9a75cae67e02778585626		 pdf-font-stream PDF embedded font (sfnt) at offset 0x769B 15744 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.