Malicious PDF — malware analysis report

Static analysis result for SHA-256 43d2bade189de7d9…

MALICIOUS

PDF

40.8 KB Created: 2020-09-03 01:55:24 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: cd36d1de1afb4726a3bad35ed47b2ed4 SHA-1: 44fba2181047f8700023d0351da28dc93a77b325 SHA-256: 43d2bade189de7d92b3177d049dc62ecb77d6986cb6f2eae35dfe228b434184d
152 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF contains a link farm designed to appear as an academic IELTS writing test, but it redirects to a malicious URL. The ML classifier strongly indicated maliciousness. The primary malicious IOC is the redirector URL, which is likely used to funnel victims to further malicious content.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 4

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.ru/wix?keyword=academic+ielts+writing+test+pdf
    • https://cdn.shopify.com/s/files/1/0429/9731/7783/files/70901811692.pdf
    • https://cdn.shopify.com/s/files/1/0437/7542/6722/files/sasuwutesi.pdf
    • https://cdn.shopify.com/s/files/1/0432/7899/1518/files/wosidi.pdf
    • https://cdn.shopify.com/s/files/1/0428/7240/6179/files/gidagerubutefoponetudubug.pdf
    • https://cdn.shopify.com/s/files/1/0434/0436/1895/files/25747408299.pdf
    • https://static.usrfiles.com/ugd/c70c35_5b497a083b4a4f0aa0a8ac20d559d585.pdf
    • https://static.usrfiles.com/ugd/8acad3_4e1bd985bb024699bf7b9d7d17bda6bb.pdf
    • https://static.usrfiles.com/ugd/f390e7_8bfd0b4b292443129ccf3fdce5d708aa.pdf
    • https://static.usrfiles.com/ugd/3e9e83_1a7364f535234eb698f36a85f4cbcc86.pdf
    • https://cdn.shopify.com/s/files/1/0427/7154/6279/files/13790687242.pdf
    • https://cdn.shopify.com/s/files/1/0443/9366/0582/files/bapasabopojuvo.pdf
    • https://cdn.shopify.com/s/files/1/0434/0708/1630/files/7845963369.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00006160.bin
c9ddc33113fa207caf31f54946a82bc1b7bf9179ecd683abc86743ec3e9b999b		 pdf-font-stream PDF embedded font (sfnt) at offset 0x6160 5556 bytes
font_01_sfnt_off00007443.bin
ac091c86d1eb58ef84b630e5ed64c0119f1fd51ff9b72d05b719633eaa6b14fb		 pdf-font-stream PDF embedded font (sfnt) at offset 0x7443 10132 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.