PDF malware analysis — malicious · 4a3f4c7ac4838939

MALICIOUS

PDF

44.0 KB Created: 2020-09-23 21:01:43 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)

MD5: 033ec172ab342c2ed5c212c2a060e500 SHA-1: a20db38874a9964e39af8892d580747d0cc28fba SHA-256: 4a3f4c7ac4838939ddb45e2ab1ec46d604e10e6663caa5524990173c4cadb29b

150 Risk Score

Malware Insights

MITRE ATT&CK

T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF contains a heuristic firing for a malicious redirector link, which is also present in the document body. The document is designed to appear as a 'water cycle worksheet 6th grade answer key' to entice clicks. The presence of numerous external links, many hosted on Shopify, suggests a link farm or SEO poisoning tactic to distribute malicious content. The ML classifier strongly indicates maliciousness.

Machine Learning

Nyx PDF Classifier malicious score 1.0000

Heuristics 3

PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK

PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM

Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://ttraff.cc/wb?keyword=water%20cycle%20worksheet%206th%20grade%20answer%20key
- http://vuzet.vegasvillains.org/uploads/1/3/1/8/131871505/momonezexu.pdf
- https://cdn.shopify.com/s/files/1/0438/7880/9768/files/12467222497.pdf
- https://cdn.shopify.com/s/files/1/0428/9599/9129/files/brevet_maths_2020_amrique_du_nord.pdf
- https://cdn.shopify.com/s/files/1/0431/6764/5857/files/it_happens_every_spring.pdf
- https://cdn.shopify.com/s/files/1/0430/2720/2205/files/finance_calculator_excel_sheet.pdf
- https://cdn.shopify.com/s/files/1/0436/4979/4213/files/cerebro_masculino_libro.pdf
- https://e4ec1a97-be81-4826-957c-4a993fc0a075.filesusr.com/ugd/a2de88_a6460ff900374eb68d39fb246a926bdf.pdf?index=true
- https://04ee83e4-56a6-4741-8bcb-92f54375a59f.filesusr.com/ugd/8a5fcf_1cf96c1de8754576ba68d5677c3ef33a.pdf?index=true
- https://7800c4d9-9382-4825-82ad-871163924140.filesusr.com/ugd/19ce5d_254fd5e63ad5471385d17a0d7d016ad7.pdf?index=true
- https://152ff951-568d-43e1-b2c0-339b9f2841ce.filesusr.com/ugd/c8df25_598194cf50ad4d539dccb4e4a04779c6.pdf?index=true
- https://339e7c25-f2fd-4b1f-a636-1f8b421fd7f5.filesusr.com/ugd/6dcf04_b62998af1f8e4d84ba16a8f4a0909526.pdf?index=true
- https://cdn.shopify.com/s/files/1/0438/4079/8885/files/bawevuve.pdf
- https://cdn.shopify.com/s/files/1/0434/3539/3180/files/zivupuxarugomobipoji.pdf
- https://cdn.shopify.com/s/files/1/0434/3998/0710/files/sumifadujezifugiko.pdf
- https://cdn.shopify.com/s/files/1/0432/3649/1431/files/23190484701.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off00006c68.bin` `fe47ce2268458faf5dbd30e475e414b60bd4b9dc9fbedea01427cc8073a0e01a`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x6C68	5628 bytes
`font_01_sfnt_off00007fab.bin` `d960f9def6c094a27d945bb189263ef6e6625566bab314210bae7f82ab4394b5`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x7FAB	10272 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.