Malicious PDF — malware analysis report

Static analysis result for SHA-256 318ba0b301b99402…

MALICIOUS

PDF

39.8 KB Created: 2020-08-10 19:58:46 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: a384e4eea74fc68fe9ac18f339bfde2d SHA-1: fb8d4ca5b5c089a48b7aab5cacf074063c09f096 SHA-256: 318ba0b301b99402bea437934ecc33ab7f04e7dabe154dda647d7609df28e8db
150 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF contains a mass external link farm, with a critical heuristic firing for a malicious redirector. The primary malicious URL is https://ttraff.cc/pify?keyword=adjectives+worksheet+for+grade+2+pdf, which is likely used to redirect users to further malicious content. The document body, though heavily obfuscated, contains references to the redirector URL and appears to be a lure for educational material.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.cc/pify?keyword=adjectives+worksheet+for+grade+2+pdf
    • http://files.sdena.org/uploads/1/3/0/9/130969080/birivubagagabov.pdf
    • http://files.spaatthecolonnade.net/uploads/1/3/0/7/130739366/5634133.pdf
    • http://files.rbbf.com/uploads/1/3/1/3/131379396/023afe25e103fb.pdf
    • http://files.thephysicsdoctor.com/uploads/1/3/1/3/131379639/lolunibibuw.pdf
    • https://cdn.shopify.com/s/files/1/0428/6346/0508/files/iso_31000_risk_management_framework.pdf
    • https://cdn.shopify.com/s/files/1/0430/6314/8695/files/papamode.pdf
    • https://cdn.shopify.com/s/files/1/0434/6406/5174/files/minecraft_pe_update_0._14._0_download.pdf
    • https://cdn.shopify.com/s/files/1/0435/6843/1265/files/96675668004.pdf
    • https://cdn.shopify.com/s/files/1/0432/2626/7806/files/82487988687.pdf
    • https://cdn.shopify.com/s/files/1/0434/5636/4709/files/revamoduk.pdf
    • https://cdn.shopify.com/s/files/1/0430/6075/6641/files/xazowonipawirisejere.pdf
    • https://cdn.shopify.com/s/files/1/0429/9541/7237/files/75109327878.pdf
    • https://cdn.shopify.com/s/files/1/0433/9430/2117/files/jogadaxivazijotagijuzi.pdf
    • https://cdn.shopify.com/s/files/1/0434/0849/0663/files/defekasomulotelepoluw.pdf
    • https://cdn.shopify.com/s/files/1/0429/9754/7157/files/89570081718.pdf
    • https://cdn.shopify.com/s/files/1/0432/5251/4971/files/favenikovurafasumema.pdf
    • https://cdn.shopify.com/s/files/1/0432/1532/3291/files/pdf_splitter_and_merger_apk.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00005d4d.bin
70dbfc0a2d233e2776ef73e7049ba731bc8523f67e76e762b2e4928c0d2ec487		 pdf-font-stream PDF embedded font (sfnt) at offset 0x5D4D 5800 bytes
font_01_sfnt_off00007121.bin
faacc5dc772affacd310effa2c2b460e4c9b15e7dbe83ac8c649f519b9ec689b		 pdf-font-stream PDF embedded font (sfnt) at offset 0x7121 9768 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.