Malicious PDF — malware analysis report

Static analysis result for SHA-256 2753fa7e9c4a8d6a…

MALICIOUS

PDF

45.7 KB Created: 2020-09-04 00:30:13 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: a7eef1260cb6a5f39130789c743d9f0c SHA-1: 240cf438476d15bb2b3823cdecae0949fea6cb1e SHA-256: 2753fa7e9c4a8d6aaf01aa73e19fc93af5ec6a96cc754c866f4835efc588c395
150 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.001 Malicious Link

The PDF contains a prominent link that, when clicked, redirects to a malicious URL. The document body text and embedded URLs suggest a lure related to IELTS reading answers, which then redirects to a link farm. The heuristic PDF_MALICIOUS_REDIRECTOR_LINK confirms the malicious nature of the redirector URL.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.club/wix?keyword=fueling+the+future+ielts+reading+answers
    • https://cdn.shopify.com/s/files/1/0433/6189/4565/files/algebra_pure_and_applied_papantonopoulou.pdf
    • https://cdn.shopify.com/s/files/1/0434/9440/8352/files/92528707093.pdf
    • https://cdn.shopify.com/s/files/1/0432/0965/4434/files/97997094249.pdf
    • https://cdn.shopify.com/s/files/1/0428/4016/2467/files/71021554427.pdf
    • https://cdn.shopify.com/s/files/1/0431/5561/9994/files/drdo_ceptam_8_notification.pdf
    • https://cdn.shopify.com/s/files/1/0452/3904/2205/files/81173941733.pdf
    • https://cdn.shopify.com/s/files/1/0437/3633/4485/files/bikodoreludosupasifefux.pdf
    • https://cdn.shopify.com/s/files/1/0464/3140/4184/files/busy_accounting_software_gst_free.pdf
    • https://cdn.shopify.com/s/files/1/0438/4777/8469/files/wuzuwave.pdf
    • https://cdn.shopify.com/s/files/1/0431/2583/3884/files/amman_movie_songs_free.pdf
    • https://static.usrfiles.com/ugd/3ceeb9_2aa19be6f8f84e399b935350e724eede.pdf
    • https://static.usrfiles.com/ugd/191a6d_07c2eb820bfa428c8f1a79404969203b.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00007217.bin
67c3772713a27d17f33886baae6db1fbc8fe4d653786d3a555edf0d6e8467695		 pdf-font-stream PDF embedded font (sfnt) at offset 0x7217 5216 bytes
font_01_sfnt_off000083e6.bin
c89108fe88f577f6e493a941b299e2ae61c0d9410660a6233a03dca15d7fb76e		 pdf-font-stream PDF embedded font (sfnt) at offset 0x83E6 11712 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.