Malicious PDF — malware analysis report

Static analysis result for SHA-256 8c4385a9fa128682…

MALICIOUS

PDF

46.5 KB Created: 2020-09-23 00:37:45 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: e43d8824fcd427c137839bf39f575f10 SHA-1: 95cb0703226dcbffc4f5ce2e200c72fada9079e4 SHA-256: 8c4385a9fa128682a7b564e4eed1f0eaba23a33bdc2d383b797e09f2a4b8c7f2
154 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF contains a critical heuristic firing for a malicious redirector link, directing users to a URL that appears to be a search result for educational content. The document body, though partially garbled, contains text related to 'Eureka math grade 7 module 3 lesson 9 answers' and the malicious URL. The PDF also contains a large number of embedded links, many of which point to Shopify domains, suggesting a link farm or SEO manipulation tactic to disguise the malicious redirector. The ML classifier strongly flagged this PDF as malicious.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 4

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.me/wix?keyword=eureka+math+grade+7+module+3+lesson+9+answers
    • https://cdn.shopify.com/s/files/1/0428/8030/3263/files/jerariwulopatas.pdf
    • https://cdn.shopify.com/s/files/1/0433/0212/5733/files/67751508612.pdf
    • https://cdn.shopify.com/s/files/1/0438/3378/6518/files/churches_for_sale_in_pensacola_florida.pdf
    • https://cdn.shopify.com/s/files/1/0434/7743/4525/files/astral_projection_books.pdf
    • https://cdn.shopify.com/s/files/1/0431/2930/7293/files/camera_eyewear_v12_user_manual.pdf
    • https://d834f55a-3d56-4e5b-88a7-4b5cd1b59f76.filesusr.com/ugd/d43733_37bb92085f3a4c499da55d09adc83ab8.pdf?index=true
    • https://8c19dabe-adfb-49fa-8959-79e70db2fad0.filesusr.com/ugd/5de1df_82004e3694f341619094216957d54546.pdf?index=true
    • https://4b6aaacc-86e7-4ac3-a570-791e82eeea47.filesusr.com/ugd/bc84a3_16226a1210d24075bb74819eb70e1bff.pdf?index=true
    • https://f2467b04-e972-41ab-80a0-8a4af3140c3c.filesusr.com/ugd/c33f71_4a144a788ab949f5b2ee2fdd955cfec8.pdf?index=true
    • https://12856027-f23f-4d9c-9ad8-8ad7f0233459.filesusr.com/ugd/4a2613_0f92fb6d712b4353b75d5406eac97db9.pdf?index=true
    • https://c5326b37-ada3-47a5-b19a-86c6c5078cc9.filesusr.com/ugd/d9e9a0_c68afc4610854efaa1ec463fcb25684a.pdf?index=true
    • https://b696fb2c-484d-4ab2-a7b2-460536c7b282.filesusr.com/ugd/a474dd_38141ea18ffb4decb9f1873e442e2e15.pdf?index=true
    • https://5d2bb95b-8a89-4257-90eb-f1c53afa53de.filesusr.com/ugd/2b25b5_e0cae8a984574de8a572f070fd69a690.pdf?index=true
    • https://45826dd4-419f-4bde-9ae1-422b1424c6b1.filesusr.com/ugd/062c90_d36252ecd2f94f209a70e4fddef854b8.pdf?index=true
    • https://ee5b1ebf-07b4-44de-be32-8f9a51d2a99b.filesusr.com/ugd/dcf9ad_020fea1908434da39d17e27b20e2b080.pdf?index=true
    • https://e1965947-9f60-412f-a910-1f91449a07e7.filesusr.com/ugd/e23fbb_623a8e42fbd747cfaa3e0f8051862bdd.pdf?index=true
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • https://ee5b1ebf-07b4-44de-be32-8f9a51d2a99b.filesusr.com/

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00005612.bin
a00551f03ba3e833176c3cf392c4d4add414dea857eb5def62023ca437c01084		 pdf-font-stream PDF embedded font (sfnt) at offset 0x5612 5752 bytes
font_01_sfnt_off00006994.bin
0e7a31b31ec112b6c36d073e6ed3db9cc4b4c65b8327078cea726d55f8880f1f		 pdf-font-stream PDF embedded font (sfnt) at offset 0x6994 13048 bytes
font_02_sfnt_off000092e5.bin
4b3f51fe40459f433be8471df9cb7f4f4472322f6fdda1a1cb24d318d3811c10		 pdf-font-stream PDF embedded font (sfnt) at offset 0x92E5 17328 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.