Malicious PDF — malware analysis report

Static analysis result for SHA-256 594f3bb8968dcd74…

MALICIOUS

PDF

46.8 KB Created: 2020-09-16 21:08:57 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 03401ed32276f6f1414d3c8615cccdf3 SHA-1: c7425764671fe52c2b404758fa78d731103c723f SHA-256: 594f3bb8968dcd741c81cee6d5a0b1e960b396051c7a34d7009105834200168c
150 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF contains a heuristic firing for a malicious redirector link, pointing to 'https://ttraff.me/wix?keyword=l+words+for+kindergarten'. This URL is embedded within the document body, disguised as educational content for kindergarteners. The PDF also exhibits characteristics of a link farm, with numerous external links. The ML classifier strongly flags this PDF as malicious.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.me/wix?keyword=l+words+for+kindergarten
    • https://cdn.shopify.com/s/files/1/0429/9158/3391/files/pats_price_action_trading_manual.pdf
    • https://cdn.shopify.com/s/files/1/0437/2440/6933/files/6._1_ionic_bonding_answers.pdf
    • https://cdn.shopify.com/s/files/1/0433/4492/0734/files/s_chand_books_for_class_10_physics_free_download.pdf
    • https://57b70ad7-d6a8-470c-9394-8ef670c5218d.filesusr.com/ugd/d7d6cd_e3df5199f570478b9b42de264d4b080f.pdf?index=true
    • https://b0ee8698-cfc6-456f-bef6-a538da77e0bb.filesusr.com/ugd/145364_aa072dcce1a34816a5f57c019f3b31e4.pdf?index=true
    • https://9689908e-0fad-45bf-8aeb-0a10d45b083e.filesusr.com/ugd/c638b7_b477274c49db466ca19944a44e422fa5.pdf?index=true
    • https://2b2131f5-e75c-4612-b485-4d4795e7f0bc.filesusr.com/ugd/4fb05f_0d67511271434392a92f94109afe26f3.pdf?index=true
    • https://23058313-814f-4e70-83bc-8a8849f83ee4.filesusr.com/ugd/f08e01_a886450db3364de6a712df11a8c56bfa.pdf?index=true
    • https://d707b61b-43ac-4d7d-bf36-d806f724945a.filesusr.com/ugd/592671_7f94abd6979840ec80ab042dde9c16e4.pdf?index=true
    • https://bbb1d7ec-ea72-4de0-b9df-4f199f7f0cb9.filesusr.com/ugd/271e65_01ad44dc33ce437fa22ae21797baa911.pdf?index=true
    • https://42bda07d-5ad3-4e62-ba1e-148d78d6196b.filesusr.com/ugd/384ea4_153b1dbea1c24572b90edc3b802499b6.pdf?index=true
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • https://2b2131f5-e75c-4612-b485-4d4795e7f0bc.filesusr.com/u

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000787f.bin
482955ced6243d6f3c0f4034c1c1c5c18bd350d44755b13ff481d25ba4ba13d3		 pdf-font-stream PDF embedded font (sfnt) at offset 0x787F 5140 bytes
font_01_sfnt_off00008a29.bin
67720b93b975e77ed5283efef956d152bacb0929506ed0a4bd1c8fde152b27b1		 pdf-font-stream PDF embedded font (sfnt) at offset 0x8A29 10696 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.