Malicious PDF — malware analysis report

Static analysis result for SHA-256 49d154c0d6c48466…

MALICIOUS

PDF

39.2 KB Created: 2020-08-13 22:48:10 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 056f6a5716cbe6b139af23e36e18e187 SHA-1: a6ca61c3439ad187f146ae9bfb4704d59a4f2ff8 SHA-256: 49d154c0d6c48466c6a2ffda2f19c0ecb90e08bf18e84ff8c2896002283f21bf
150 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF contains a link to a known malicious redirector, ttraff.cc, which is likely used to obscure the final destination. The document body, though heavily obfuscated, contains the text 'Factoring prime numbers worksheets' and the malicious URL, suggesting a lure to trick users into clicking the link. The presence of a large number of external PDF links further indicates a link farm used for SEO poisoning or to distribute malicious content.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.cc/pify?keyword=factoring+prime+numbers+worksheets
    • http://tatixegev.shivagallery.ca/uploads/1/3/0/8/130814241/af6cf3e.pdf
    • http://files.beebrighthives.com/uploads/1/3/0/8/130813095/naredivibejup.pdf
    • http://kifur.camarillocommunitygardens.org/uploads/1/3/1/6/131606490/fefuladuzupoful-wuvip-vabom.pdf
    • https://cdn.shopify.com/s/files/1/0434/7936/7846/files/34277689215.pdf
    • https://cdn.shopify.com/s/files/1/0427/9838/3260/files/calendar_september_2020_printable.pdf
    • https://cdn.shopify.com/s/files/1/0427/6387/8566/files/98026592884.pdf
    • https://cdn.shopify.com/s/files/1/0431/7960/6176/files/dinutogonoxufusugowenewip.pdf
    • https://cdn.shopify.com/s/files/1/0437/9276/0994/files/xuwivekatoneguna.pdf
    • https://cdn.shopify.com/s/files/1/0440/1440/3742/files/losewixipazubabo.pdf
    • https://cdn.shopify.com/s/files/1/0428/7833/7187/files/vuximogeloxorir.pdf
    • https://cdn.shopify.com/s/files/1/0428/5018/9478/files/livoresejolabexaz.pdf
    • https://cdn.shopify.com/s/files/1/0428/6211/7023/files/vowilitatuz.pdf
    • https://cdn.shopify.com/s/files/1/0434/2526/7877/files/budaya_organisasi_google.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00005b00.bin
2b9f67d2c25c3a083f1caf4fb97ccf9a0c8c06191b615c3370dd01ad0f33c89d		 pdf-font-stream PDF embedded font (sfnt) at offset 0x5B00 5564 bytes
font_01_sfnt_off00006dd4.bin
aab2b63648a846030a1b0439beb308b5484d95231d76a107cb6c8d5dff60d29e		 pdf-font-stream PDF embedded font (sfnt) at offset 0x6DD4 9884 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.