Malicious PDF — malware analysis report

Static analysis result for SHA-256 1caf36725100bc6c…

MALICIOUS

PDF

45.6 KB Created: 2020-09-04 18:47:26 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 9b6a8aef218e1153ad5549d6c367a96a SHA-1: 5aa5ad4aa4a1eb98cf0355efe4ba1f2a5e78106b SHA-256: 1caf36725100bc6cd4a6316c91ff8fa9c8dfd50c7f255d2a9dc7b0beaf3a317f
150 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF contains a critical heuristic firing for a malicious redirector link, directing users to a URL disguised as IELTS exam material. The document body, though heavily obfuscated, contains the same malicious URL. The PDF also exhibits characteristics of a link farm, with numerous embedded URLs pointing to external documents, likely to improve search engine ranking for malicious content.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.link/wix?keyword=ielts+reading+passage+early+childhood+education+answers
    • https://static.usrfiles.com/ugd/55e2c6_10023fe810c9472baadd19344b8c71dc.pdf
    • https://static.usrfiles.com/ugd/23e9be_fbf85bf5f095473f8912f0e13b22c278.pdf
    • https://static.usrfiles.com/ugd/fa32a6_e442c93271d4417e9c3c26db1059ff7a.pdf
    • https://cdn.shopify.com/s/files/1/0463/2251/6130/files/baaghi_2_picture_gana.pdf
    • https://cdn.shopify.com/s/files/1/0429/8434/1657/files/66740847015.pdf
    • https://cdn.shopify.com/s/files/1/0433/9505/5777/files/pisodaj.pdf
    • https://cdn.shopify.com/s/files/1/0431/8252/2528/files/pijunovewa.pdf
    • https://cdn.shopify.com/s/files/1/0434/5865/8456/files/76126541188.pdf
    • https://static.usrfiles.com/ugd/e3c460_923f2fa74d2a44748fc40f63b2b9402a.pdf
    • https://static.usrfiles.com/ugd/3fb742_5e6f4ea5084241f6a234d96d488b0a39.pdf
    • https://static.usrfiles.com/ugd/b8c837_6cf90db3805747c491e9955418c73c9f.pdf
    • https://static.usrfiles.com/ugd/b8c837_62e7d0fc78bf44aeb11db80e0ba0244c.pdf
    • https://static.usrfiles.com/ugd/bbd3cf_fb05c95169434a7fbc21e60e7f294a53.pdf
    • https://static.usrfiles.com/ugd/2c608b_d63cb4334fd54b148f36e1d4a66229f0.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00006572.bin
07406836ce75a2c387a97410e038125eed42ad1b561fc1a9df57599528dcabd1		 pdf-font-stream PDF embedded font (sfnt) at offset 0x6572 5348 bytes
font_01_sfnt_off000077a2.bin
7050fd69807ab7d11cc6458a3b98a44e8954d1156a99651b17e938f11741cbd2		 pdf-font-stream PDF embedded font (sfnt) at offset 0x77A2 10472 bytes
font_02_sfnt_off00009b23.bin
4fcfa7c68d76e23b667942a3ac892d2d5d88346478daafc61479ad4df4af3dd3		 pdf-font-stream PDF embedded font (sfnt) at offset 0x9B23 4324 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.