Malicious PDF — malware analysis report

Static analysis result for SHA-256 95ee5d341585cec7…

MALICIOUS

PDF

42.5 KB Created: 2020-09-08 15:51:18 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 012eaaf26b1056437f61fffceb5c0e27 SHA-1: d80daa1ffafc50f3de113172ee6f1659df6cb57f SHA-256: 95ee5d341585cec7ded8a26156d502cbfcc0e22d343534eb50844030e7c219ab
150 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF file contains numerous embedded links, with a critical heuristic firing indicating a malicious redirector. The document body, though partially corrupted, contains text related to 'community workers worksheets for preschoolers' and the malicious URL. This suggests a social engineering lure to direct users to potentially harmful content. The ML classifier also strongly indicated maliciousness.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.link/pify?keyword=community+workers+worksheets+for+preschoolers
    • https://static.usrfiles.com/ugd/3e9e83_fa0b3029f9784454a7ff84f5f0757b73.pdf
    • https://static.usrfiles.com/ugd/fe83c3_7d7b8bb575384cd889a56063793651c1.pdf
    • https://static.usrfiles.com/ugd/d954c5_1427990fc99e4a8991cf2673bf7ec5c9.pdf
    • https://static.usrfiles.com/ugd/f99735_82c447e95d0e45ed8cb7ff0afe5bfb06.pdf
    • https://static.usrfiles.com/ugd/cdb50c_3bb78a88ab9446f7ae224d3e3a3dc4c6.pdf
    • https://cdn.shopify.com/s/files/1/0428/9714/6019/files/zebifaki.pdf
    • https://cdn.shopify.com/s/files/1/0454/4974/0438/files/buet_admission_result_2020_18.pdf
    • https://cdn.shopify.com/s/files/1/0431/0358/4409/files/71537012900.pdf
    • https://cdn.shopify.com/s/files/1/0431/6404/1373/files/ffmpeg_convert_to_mp4.pdf
    • https://static.usrfiles.com/ugd/ef7b09_d93795e3c2b74dee9918b5609d1a5b6e.pdf
    • https://static.usrfiles.com/ugd/fb83f1_31a99c11119d4945a8a6b185e70210ff.pdf
    • https://cdn.shopify.com/s/files/1/0434/9027/9574/files/52087848359.pdf
    • https://cdn.shopify.com/s/files/1/0463/1022/8133/files/96380118525.pdf
    • https://cdn.shopify.com/s/files/1/0470/8709/1870/files/miratase.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00006797.bin
98b7454be94d92cf6bd0dce2780c69486619831e07978d1d550fe4e7918bef9c		 pdf-font-stream PDF embedded font (sfnt) at offset 0x6797 5208 bytes
font_01_sfnt_off00007943.bin
321e462f2fe245ae7713fe82b692e74d2e17d6c5a38c98c28c4e83e976bdcf53		 pdf-font-stream PDF embedded font (sfnt) at offset 0x7943 10348 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.