Malicious PDF — malware analysis report

Static analysis result for SHA-256 329a72687de2f882…

MALICIOUS

PDF

73.6 KB Created: 2020-08-30 04:07:57 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 0f20c79a677c8ffe3dab4095d6cc64d1 SHA-1: adc962c5aed47cd27c5f19f608758ff2e7ddbe49 SHA-256: 329a72687de2f882ac4610a60009cd083fc93a2109bde342a14a4d56a54985ec
152 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF contains embedded links, with one identified as a malicious redirector. The document body, though heavily obfuscated, contains text related to 'note taking study guide answers' and the malicious URL. The PDF_MALICIOUS_REDIRECTOR_LINK heuristic confirms the presence of a link to known malicious infrastructure, and the ML classifier strongly indicates maliciousness. The primary attack vector appears to be social engineering via a deceptive document title to trick users into visiting a malicious URL.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 4

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.ru/wix?keyword=chapter+16+section+3+note+taking+study+guide+answers
    • https://static.usrfiles.com/ugd/e643da_c4678bcb93454706955fa09d17934fe2.pdf
    • https://static.usrfiles.com/ugd/b8c837_6077fea1ecaa4c87afd75ccf61108b86.pdf
    • https://static.usrfiles.com/ugd/824332_9cdecd499300441a8ec5de9cfc075c24.pdf
    • https://static.usrfiles.com/ugd/b8c837_00b0f315ce69400b92392478d17f8673.pdf
    • https://static.usrfiles.com/ugd/b8c837_1194370f7fe24c9aae7dbc812492f2fd.pdf
    • https://static.usrfiles.com/ugd/b8c837_b5d4a7022c8449feb37ebda458bdbc95.pdf
    • https://static.usrfiles.com/ugd/b8c837_6eed2c5a91d44e8e9499a91278564030.pdf
    • https://static.usrfiles.com/ugd/b8c837_47bf84b640f6426cb4871c64fbd75f2b.pdf
    • https://static.usrfiles.com/ugd/930050_155ac11eeb644b5fb74d47e525a0249e.pdf
    • https://static.usrfiles.com/ugd/b4a829_35ef2270b1404e179af63f46653cadf9.pdf
    • https://static.usrfiles.com/ugd/b8c837_9bec7f00dfa645c18488ffa75b96729d.pdf
    • https://static.usrfiles.com/ugd/b8c837_292e57e6f54449f19591ea43a18221a3.pdf
    • https://static.usrfiles.com/ugd/7f929b_f6f906a7f5874e9ca529f2cf2358b2ab.pdf
    • https://cdn.shopify.com/s/files/1/0459/7127/5943/files/79735755555.pdf
    • https://cdn.shopify.com/s/files/1/0438/9113/0536/files/r_statistical_software.pdf
    • https://cdn.shopify.com/s/files/1/0435/2209/7304/files/82944932138.pdf
    • https://cdn.shopify.com/s/files/1/0438/3444/1890/files/43991566057.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000d595.bin
3d7bc718df9052751c9c50d6b52fe261f9e537ba4d60097c1300fe31a82393cd		 pdf-font-stream PDF embedded font (sfnt) at offset 0xD595 5836 bytes
font_01_sfnt_off0000e985.bin
042b5d4e1d421ead4fb7fc8d2d06ff7af03847365b3ba4d29704e054870390dd		 pdf-font-stream PDF embedded font (sfnt) at offset 0xE985 15200 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.