Malicious PDF — malware analysis report

Static analysis result for SHA-256 608f5a64d5a55473…

MALICIOUS

PDF

41.0 KB Created: 2020-09-01 03:57:27 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 95d363e70139dc4f7d035e30bd218a6d SHA-1: a2064a9a0099d21415dc0d63ce234943afaca870 SHA-256: 608f5a64d5a5547384bfbbe13722c3a5d10216f778c71099774781e6f7abc04a
174 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF contains embedded links to known malicious redirector infrastructure, specifically pointing to 'https://ttraff.ru/wix?keyword=integrated+math+1a+answers'. The document body, though heavily obfuscated, appears to contain text related to 'integrated math 1a answers', suggesting a lure to trick users into clicking the malicious link. The presence of numerous other PDF links, many pointing to benign content, is characteristic of SEO link farm techniques used to obscure malicious activity.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 5

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Callback phishing phone lure medium SE_CALLBACK_LURE
    Document asks the user to call a phone number in billing, refund, subscription, fraud, or security context — consistent with callback phishing or tech-support scam patterns. Suppressed for legitimate-issuer (IRS/gov/official-form) documents that carry no urgency or charge/dispute escalation.
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.ru/wix?keyword=integrated+math+1a+answers
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • http://www.daltonmaag.com/
    • https://static.usrfiles.com/ugd/b8c837_8f125fccc3ae4256ac7835c55a89af43.pdf
    • https://static.usrfiles.com/ugd/b8c837_8e08d37e535c43a5b82f4c78f1e535e5.pdf
    • https://static.usrfiles.com/ugd/c345b0_44b62aaf4ae44b338f35a5c9722c264a.pdf
    • https://static.usrfiles.com/ugd/314c35_c4489274f3744158924202225e9161f4.pdf
    • https://static.usrfiles.com/ugd/ee9d3f_c81fd3008af54a279c624899fcaa4e3c.pdf
    • https://cdn.shopify.com/s/files/1/0434/4859/8678/files/vademeji.pdf
    • https://cdn.shopify.com/s/files/1/0431/8904/3358/files/54404805941.pdf
    • https://cdn.shopify.com/s/files/1/0432/7643/5621/files/muzifebovuj.pdf
    • https://cdn.shopify.com/s/files/1/0433/0687/7080/files/13534048661.pdf
    • https://cdn.shopify.com/s/files/1/0428/6434/5255/files/vuxererifixijapuwexurasad.pdf
    • https://cdn.shopify.com/s/files/1/0429/9007/6057/files/good_annotator_for_android.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00005605.bin
82a6e5b43b4c1a7b5245b7abf6e045bf1ea89526b424809a93df3cad02b47bbb		 pdf-font-stream PDF embedded font (sfnt) at offset 0x5605 4916 bytes
font_01_sfnt_off0000668f.bin
bf60ee98fb96352ef9f72e51b734e9413085d9d1132958d41395d3b4340709b4		 pdf-font-stream PDF embedded font (sfnt) at offset 0x668F 10180 bytes
font_02_sfnt_off00008966.bin
0d0f64e27578eb124b8bc81c7eceacdd166e22eddd95c81328e9fbd7de2a6333		 pdf-font-stream PDF embedded font (sfnt) at offset 0x8966 4324 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.