Malicious PDF — malware analysis report

Static analysis result for SHA-256 31571e976b282069…

MALICIOUS

PDF

45.9 KB Created: 2020-08-23 07:41:07 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: a0d2af7cbcebbb44b7af499c00a2b59a SHA-1: 94009af0884521e22e1ad5575f2f3f6ec9446c50 SHA-256: 31571e976b2820695d92aebcc753c9777a602ca92604fce35c2e53a45bdd9358
150 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF was flagged by multiple critical heuristics for containing malicious redirector links and a large number of external PDF links, suggesting a link farm. The primary malicious URL identified is a redirector, likely used to obscure the final destination. The document body contains text related to 'idioms pdf worksheet' and the wkhtmltopdf application, which may be a lure.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.cc/pify?keyword=idioms+pdf+worksheet
    • http://pogedojeg.workshopforwriters.com/uploads/1/3/0/7/130775217/fddfba.pdf
    • https://cdn.shopify.com/s/files/1/0428/5913/5132/files/dobumofe.pdf
    • https://cdn.shopify.com/s/files/1/0428/8859/3571/files/sevosaxe.pdf
    • https://cdn.shopify.com/s/files/1/0429/8565/2375/files/vitapixedebi.pdf
    • https://cdn.shopify.com/s/files/1/0429/7303/6697/files/80404755920.pdf
    • https://cdn.shopify.com/s/files/1/0430/3765/5193/files/clicker_garage_door_opener_instructions.pdf
    • https://cdn.shopify.com/s/files/1/0429/8709/4179/files/luxidexafak.pdf
    • https://cdn.shopify.com/s/files/1/0435/5883/0229/files/python_dict_get.pdf
    • https://cdn.shopify.com/s/files/1/0431/7973/7237/files/xanekowipe.pdf
    • https://cdn.shopify.com/s/files/1/0461/0611/6260/files/5738081822.pdf
    • https://cdn.shopify.com/s/files/1/0428/2161/5783/files/articles_worksheet_for_grade_3.pdf
    • https://cdn.shopify.com/s/files/1/0431/6856/3351/files/52804841993.pdf
    • https://cdn.shopify.com/s/files/1/0435/7901/5331/files/gelekemufiraviverex.pdf
    • https://cdn.shopify.com/s/files/1/0433/0474/7168/files/cellulite_dentaire_et_anti_inflammatoire.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000069f0.bin
01f61784d6daa5e180627551d4b88c610d61664259cd3a4978692a5010f8d839		 pdf-font-stream PDF embedded font (sfnt) at offset 0x69F0 4816 bytes
font_01_sfnt_off00007a64.bin
e026613f2208181add028982650d4d1bd1188997909b757a70f35e091efc4d36		 pdf-font-stream PDF embedded font (sfnt) at offset 0x7A64 10264 bytes
font_02_sfnt_off00009d30.bin
1062cd8ddf90f4344fa193b395386d5669df1a952e5759311ca261a71931f361		 pdf-font-stream PDF embedded font (sfnt) at offset 0x9D30 4324 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.