Malicious PDF — malware analysis report

Static analysis result for SHA-256 42bbfa494ac358b4…

MALICIOUS

PDF

38.4 KB Created: 2020-09-16 16:10:19 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 0300223e16147809ad6c0f8743d58b10 SHA-1: effe4f268602da726006c42eae1953b01c9287a4 SHA-256: 42bbfa494ac358b497dba6cef6ba3ef82b91b8cb89c7571cb0647803eb7d2905
150 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF contains a large number of embedded links, masquerading as an answer key for a word puzzle, to a malicious redirector. The primary malicious URL is https://ttraff.link/wix?keyword=plate+tectonics+word+puzzle+answer+key. The ML classifier strongly indicated maliciousness, and the PDF structure is consistent with link-farming and redirection techniques.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.link/wix?keyword=plate+tectonics+word+puzzle+answer+key
    • https://09157ade-77cd-4549-9f7c-b5202c5d06e5.filesusr.com/ugd/f35da0_be2b66c44be34bb0843205608c9c0f2d.pdf?index=true
    • https://65de848e-d464-464c-be7d-7e63fa8691b1.filesusr.com/ugd/3ed902_bdbc49b3518d4198b2756a66f103adb2.pdf?index=true
    • https://a3fae60d-3215-48fa-87cc-2be627fd8691.filesusr.com/ugd/b7306e_ed0ba372b5bf4c3183c48e9bdb18e270.pdf?index=true
    • https://2101ea13-1577-458d-9fee-d1ac18e9ae09.filesusr.com/ugd/4b874d_68a734e52ef845eca31c583f995601db.pdf?index=true
    • https://7f200419-0ac4-45a7-a196-9538939d0d67.filesusr.com/ugd/c722c2_8963892c20e74534bd1c702ffd0e4573.pdf?index=true
    • https://4e3232b2-26d2-4b8e-b8c4-5defc0cc80d1.filesusr.com/ugd/0582e0_9da4980fe846496eb3aa43eb4d9e96ea.pdf?index=true
    • https://cbaffc75-bc4f-44f5-8692-da84057067a5.filesusr.com/ugd/440e29_06d2edbf01304fd4a642d8a05b4e1515.pdf?index=true
    • https://6eff6716-61b8-4e38-9a42-7cc1e0d345fb.filesusr.com/ugd/50988c_a5aa061af9f94319b8b8695d0e55a90d.pdf?index=true
    • https://ee850b6c-8737-4163-b4c5-24929de39e0b.filesusr.com/ugd/162fe6_0290de4c942e4fb4b4da67d6d79f0155.pdf?index=true
    • https://28fd0a1b-fe95-426d-83fc-d3007296e2f0.filesusr.com/ugd/b91392_0fe0c444f3674cb393eb1b7bd4c44644.pdf?index=true
    • https://cdn.shopify.com/s/files/1/0431/3337/0522/files/astrophysical_fluid_dynamics.pdf
    • https://cdn.shopify.com/s/files/1/0434/9270/4408/files/toremuxatawepebiwejave.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000586d.bin
09bf52629f12661f2e7ab6cd09922d549938ca5ab34f3796d9e256be64864e8e		 pdf-font-stream PDF embedded font (sfnt) at offset 0x586D 5376 bytes
font_01_sfnt_off00006ae5.bin
b0a7cf03e69e0603141f00f0c2561b1e0cd96ff1a53b38ae2dce7fe62ecb874b		 pdf-font-stream PDF embedded font (sfnt) at offset 0x6AE5 9972 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.