Malicious PDF — malware analysis report

Static analysis result for SHA-256 3879913c9df01282…

MALICIOUS

PDF

68.9 KB Created: 2020-08-10 20:58:05 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: aff53b1f47ee3df371f3d01b12abfd37 SHA-1: 4c64ef67de412e3c0bffca982a0bf4cff2fd5061 SHA-256: 3879913c9df01282622ff9b613d5ddacf4463c283b0f637937d6462d4997c5b2
150 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF contains numerous links, many pointing to domains that host PDF files, suggesting a link farm for SEO poisoning. One critical heuristic identified a link to a known malicious redirector, 'ttraff.cc', which is used in conjunction with a search query for 'physics textbook grade 11 pdf nelson'. This indicates a phishing or scam attempt to lure users into downloading potentially malicious content by disguising it as educational material. No scripts were extracted, but the PDF structure and embedded links are sufficient to infer the attack pattern.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.cc/pify?keyword=physics+textbook+grade+11+pdf+nelson
    • http://files.asikeyipark.ca/uploads/1/3/0/7/130774977/nezomoba_vatigumuwugol_mepozibexo_jolulixim.pdf
    • http://files.sweetalchemyvermont.com/uploads/1/3/2/6/132696174/da99f772.pdf
    • http://luzelebot.desertmountainchurchofantelopevalley.com/uploads/1/3/2/6/132682090/4872218.pdf
    • http://fefovebo.msqg.org/uploads/1/3/1/4/131438641/nexuz_nokidep_xopavaj_xiwizamu.pdf
    • http://files.truespiritart.com/uploads/1/3/2/6/132696335/sisabem.pdf
    • https://cdn.shopify.com/s/files/1/0431/8471/7979/files/7106681037.pdf
    • https://cdn.shopify.com/s/files/1/0432/3596/7143/files/sopibodibizupaxuxove.pdf
    • https://cdn.shopify.com/s/files/1/0437/8004/7010/files/english_to_french_words_with_pronunciation.pdf
    • https://cdn.shopify.com/s/files/1/0428/1283/3959/files/tafamepilujum.pdf
    • https://cdn.shopify.com/s/files/1/0445/6418/5247/files/ms_excel_advanced_tutorial.pdf
    • https://cdn.shopify.com/s/files/1/0433/7346/1660/files/11990625318.pdf
    • https://cdn.shopify.com/s/files/1/0434/0659/0104/files/56061599231.pdf
    • https://cdn.shopify.com/s/files/1/0431/6394/3067/files/7339456985.pdf
    • https://cdn.shopify.com/s/files/1/0434/5207/2086/files/gta_4_mac.pdf
    • https://cdn.shopify.com/s/files/1/0454/8021/4678/files/free_download_splitter_and_joiner_software.pdf
    • https://cdn.shopify.com/s/files/1/0430/1019/5605/files/49348304440.pdf
    • https://cdn.shopify.com/s/files/1/0429/6232/1567/files/convert_base64_string_to_angularjs.pdf
    • https://cdn.shopify.com/s/files/1/0427/4647/8759/files/hazardous_waste_management_act_pdf.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000be54.bin
292eb767efeffb1fb865f42633e91ecf96267b25cc608f7a3edced9a1ad551ab		 pdf-font-stream PDF embedded font (sfnt) at offset 0xBE54 5844 bytes
font_01_sfnt_off0000d1fe.bin
168fd0d7c711237101b250d30d759533d7bca85417fd528e7b2b753fce3ffa9a		 pdf-font-stream PDF embedded font (sfnt) at offset 0xD1FE 1404 bytes
font_02_sfnt_off0000d99e.bin
15a16e85a7a4b3c22ce97950e2d6cff003c5711a7faafc81259a254a055ea940		 pdf-font-stream PDF embedded font (sfnt) at offset 0xD99E 14288 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.