Malicious PDF — malware analysis report

Static analysis result for SHA-256 983bc7741e3c7f33…

MALICIOUS

PDF

49.9 KB Created: 2020-08-09 07:00:27 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 9ec5ee004e74ba140dce080344bf4b16 SHA-1: ece50296c9829276c45e8c81e058b5972807d940 SHA-256: 983bc7741e3c7f3375e0fe85c8b4fb6d8d743402df1de5857d7dac1c4d6bd035
150 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF contains a critical heuristic firing for a malicious redirector link, which is also present in the document body. This link, 'https://ttraff.cc/pify?keyword=ncert+maths+books+for+class+8+pdf', is likely intended to lead the user to a malicious site. The document also exhibits characteristics of a PDF SEO link farm, suggesting a broader campaign to distribute malicious links.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.cc/pify?keyword=ncert+maths+books+for+class+8+pdf
    • http://files.onelasalle.com/uploads/1/3/1/4/131438142/duxezivelevu-jasinobelojopo-lodusolipur-jusos.pdf
    • http://files.ezraacademy.org/uploads/1/3/0/8/130874231/mujajin_xixekak_pimawegabegej.pdf
    • http://files.jhamrick.com/uploads/1/3/1/6/131607321/5307036.pdf
    • http://files.cassieabate.com/uploads/1/3/1/4/131409090/8744195.pdf
    • https://cdn.shopify.com/s/files/1/0437/6068/1109/files/mac_commands_cheat_sheet.pdf
    • https://cdn.shopify.com/s/files/1/0432/1568/3744/files/bot_emoji_discord_copy_and_paste.pdf
    • https://cdn.shopify.com/s/files/1/0430/9997/9930/files/garaworurubiku.pdf
    • https://cdn.shopify.com/s/files/1/0432/7840/1700/files/mockingjay_part_1_script.pdf
    • https://cdn.shopify.com/s/files/1/0429/5576/7967/files/62406719034.pdf
    • https://cdn.shopify.com/s/files/1/0433/9014/0581/files/tajupekogek.pdf
    • https://cdn.shopify.com/s/files/1/0430/9850/5369/files/vilawo.pdf
    • https://cdn.shopify.com/s/files/1/0433/5340/7646/files/duzomijep.pdf
    • https://cdn.shopify.com/s/files/1/0435/0532/0088/files/satonenowopirulazerado.pdf
    • https://cdn.shopify.com/s/files/1/0431/0899/1125/files/wufituve.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00007034.bin
9a376a50a5e0cb5022a472983e6657498f54322d55f5596437d8f1b00e28ce3c		 pdf-font-stream PDF embedded font (sfnt) at offset 0x7034 5760 bytes
font_01_sfnt_off000083a5.bin
66c3a3407ad9f3ae57656487697be8b27d87d736947413e77cddb97f0bd72633		 pdf-font-stream PDF embedded font (sfnt) at offset 0x83A5 9936 bytes
font_02_sfnt_off0000a5b6.bin
9e1271d681207e96fe60c94df920a27091a957dc81e2614e9e6235263a34fce6		 pdf-font-stream PDF embedded font (sfnt) at offset 0xA5B6 16068 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.