Malicious PDF — malware analysis report

Static analysis result for SHA-256 1c82dc56c8efa921…

MALICIOUS

PDF

43.2 KB Created: 2020-08-31 04:50:41 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 99c90e0187a28495f8f0a246964a10b8 SHA-1: 0d886e482202c875a0cca20bc128881294d61117 SHA-256: 1c82dc56c8efa9210a13dd59497625ee0c08ce7d76359a235e2051f3c42148cf
150 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF contains a critical heuristic firing for a malicious redirector link, pointing to 'https://ttraff.cc/wix?keyword=pre+k+workbook+pdf'. This URL is presented within the document body, suggesting a social engineering lure to trick users into clicking it. The PDF also contains a mass external link farm, further indicating malicious intent. The ML classifier strongly flagged this PDF as malicious.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.cc/wix?keyword=pre+k+workbook+pdf
    • https://cdn.shopify.com/s/files/1/0431/4782/1205/files/86539614643.pdf
    • https://cdn.shopify.com/s/files/1/0463/4551/9261/files/nirvana_gtd_setup_guide.pdf
    • https://cdn.shopify.com/s/files/1/0434/3123/1655/files/wetuwatetegubeti.pdf
    • https://cdn.shopify.com/s/files/1/0440/3838/9925/files/80571592471.pdf
    • https://cdn.shopify.com/s/files/1/0438/3077/1869/files/la_mort_de_mr_yosie_lokote_nouvelles.pdf
    • https://static.usrfiles.com/ugd/735424_cf21167c7e48447f95334c342790bf50.pdf
    • https://static.usrfiles.com/ugd/33a2e4_52c1f080ff9245fc952c4a4502c40b7f.pdf
    • https://static.usrfiles.com/ugd/b8c837_5c6a4457b9b645ce8099dee94f1ce2a6.pdf
    • https://static.usrfiles.com/ugd/b8c837_7f825cf65625495496c79e78b526030c.pdf
    • https://static.usrfiles.com/ugd/5cf23b_b1b27bff17124427a0be940e9b1d00ba.pdf
    • https://static.usrfiles.com/ugd/166c09_527fdc6eb87342f99b946dc2e420182f.pdf
    • https://static.usrfiles.com/ugd/696b8a_5ffec19e353742da81f013e1ccc6f7de.pdf
    • https://static.usrfiles.com/ugd/10e3af_2c9b18a71862459d99ed511b6fb0ef03.pdf
    • https://static.usrfiles.com/ugd/238140_c03835010c8b407f9e25da3dd348da3e.pdf
    • https://static.usrfiles.com/ugd/07625c_699425c3bf7245d7b2f272daec97e759.pdf
    • https://static.usrfiles.com/ugd/c5d40f_ed5c129eb6d14c78873ad98bd2912564.pdf
    • https://static.usrfiles.com/ugd/e4bc37_155cbbc26c47469abd8c2b857f530d7f.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00006b30.bin
2b6f79841f6d905aec6545e440a2375f9e7e734e01541d9bff32320bfd3641c7		 pdf-font-stream PDF embedded font (sfnt) at offset 0x6B30 4912 bytes
font_01_sfnt_off00007c04.bin
d1c68381f6305a7593bbeb623d1b3f427ae3a8e327aa3248b73292307305c1c4		 pdf-font-stream PDF embedded font (sfnt) at offset 0x7C04 10588 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.