Malicious PDF — malware analysis report

Static analysis result for SHA-256 1813db1ced24cc6d…

MALICIOUS

PDF

39.5 KB Created: 2020-09-17 20:09:22 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 9874cccda5a29ec0854f629f90b0a9c3 SHA-1: 2501d9b305387bb55e3c9e6ff721b9dafa35fdb0 SHA-256: 1813db1ced24cc6dee7bad39523a6e0edf60c0e623d027e1076c644ceac9103b
154 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

The PDF contains numerous embedded links, a significant portion of which point to a redirector service. The document body, though heavily obfuscated, contains text related to 'multiplying monomials worksheet pdf kuta' and the malicious URL, suggesting a lure for SEO poisoning. The ML classifier and heuristic firings strongly indicate malicious intent, likely to redirect users to harmful content.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 4

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.club/wix?keyword=multiplying+monomials+worksheet+pdf+kuta
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • http://www.daltonmaag.com/
    • https://3fb00cab-3103-492b-ba05-776a71ae3f94.filesusr.com/ugd/8e7730_828d6836a8db4307b94a5184ec75cf7a.pdf?index=true
    • https://43c478a2-7ad0-4ecb-9937-07495ad45fe9.filesusr.com/ugd/2ac701_9276a50c65054bb6974d39a31dea757d.pdf?index=true
    • https://418a2f68-f1c7-4cca-ac32-334ad9115b46.filesusr.com/ugd/c0fca2_f69e9f9a02b8423db82c3a32478b7a77.pdf?index=true
    • https://84dc63cb-9d60-4a45-bf71-81d035a7c172.filesusr.com/ugd/9c66ff_ed9c629234704f9a815c1419a58beb9a.pdf?index=true
    • https://4e4a1a13-12ae-40a6-a573-6cabcdfff593.filesusr.com/ugd/b58d21_de2de8ada2cb40d6bd6d94ab4d545976.pdf?index=true
    • https://1f35e410-9d23-4610-bf84-a9a832970ee0.filesusr.com/ugd/1cc777_afb2a446cfbc42119f64d4418c014a8e.pdf?index=true
    • https://8ca75922-b3a5-4d0c-9b75-e41c3a8010fc.filesusr.com/ugd/95ea6b_ed6696b352cd447bb452b224351b790b.pdf?index=true
    • https://a7fcfedd-6b4e-4311-9a8a-995b424894f9.filesusr.com/ugd/de60da_8c7b43780ebe44a38807f0107836e7c8.pdf?index=true
    • https://ebf9d434-1e80-40e3-a637-30ac9a8cfb30.filesusr.com/ugd/3c2e2e_acca2042f1e04d4eabf2b92016a50776.pdf?index=true
    • https://793efdb7-6c97-4219-98ea-fa1371ca5514.filesusr.com/ugd/5c9621_66484829c6d64ef1b287bb280d76c5b2.pdf?index=true
    • https://6c39eb79-3cd0-4e19-8885-1a94e5d03173.filesusr.com/ugd/9b5f63_12c8f1cb6cce498a9ca2de2beb815ff5.pdf?index=true
    • https://7171fdde-1185-454e-9f7a-fd4de35228ef.filesusr.com/ugd/54e393_68aee0dbf26146228b097fd109c9169e.pdf?index=true
    • https://f5922416-bdf3-4e36-94b7-42dfa115cf22.filesusr.com/ugd/6cfc61_db70299fd4eb47879054137e63ef8335.pdf?index=true
    • https://3f25dd9f-3614-4f1d-a894-2d288cdfd54f.filesusr.com/ugd/1c44ce_b308310ca3c54b70af27cb9cde96d5a4.pdf?index=true
    • https://2025ff2e-6fd8-4653-b3c4-d8f0619c9c64.filesusr.com/ugd/33a2e4_222bc22f5cb74439bfdd9dd82cdebed3.pdf?index=true
    • https://083d1e68-a8ce-4c10-accc-9de1e75b0fd0.filesusr.com/ugd/eaf48f_07071a68499a4e51a36325963f7418a7.pdf?index=true
    • https://cb98355b-4a20-45e5-89b3-b95a193dfc35.filesusr.com/ugd/e32576_08951fbea8fc4728945f4338327704d6.pdf?index=true
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00004db2.bin
cc89636fe94767d28507f92be029240d3c83a45c48fd699ba3a49f52e9315362		 pdf-font-stream PDF embedded font (sfnt) at offset 0x4DB2 5600 bytes
font_01_sfnt_off000060a5.bin
1bbf59f6d2cca85775c08879b3249584cd7442928dba1b24019029704bc4f716		 pdf-font-stream PDF embedded font (sfnt) at offset 0x60A5 9992 bytes
font_02_sfnt_off00008289.bin
1158d95dac44631f497756703988ba3645251422e7ff0015d3fca430225e7c3e		 pdf-font-stream PDF embedded font (sfnt) at offset 0x8289 4324 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.