Malicious PDF — malware analysis report

Static analysis result for SHA-256 99f979f7e0b74cf9…

MALICIOUS

PDF

44.8 KB Created: 2020-09-21 01:38:21 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 27ba8a657a9581153013981c966aeee9 SHA-1: 3e74e139c2712f9e6fdc9a26adfa382c41e2d76f SHA-256: 99f979f7e0b74cf9ecaed95a81f5de44cb02a5e372167b7a60308fc1d15e9644
154 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF contains numerous embedded links, with a critical heuristic firing for a malicious redirector. The document body, though heavily obfuscated, contains text suggesting it is a 'Wiley study guide cfa', a common lure for phishing. The primary malicious URL identified is https://ttraff.link/wix?keyword=wiley+study+guide+cfa, which is linked to known malicious infrastructure. The presence of multiple PDF links and the ML classifier's high confidence score further support the malicious classification.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 4

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.link/wix?keyword=wiley+study+guide+cfa
    • http://bibekuxir.nhcss.org/uploads/1/3/1/3/131380600/6739331.pdf
    • http://zoganuzaw.drperryauthor.com/uploads/1/3/1/6/131637254/ronapuviwidug_razidawa_kejukawowu.pdf
    • http://folexozem.thedriftwoodshack.com/uploads/1/3/1/3/131383493/zofosivofakakorodid.pdf
    • https://ec41ba3d-b99a-45a2-b7e7-e2670943f003.filesusr.com/ugd/e1a791_5715499e2cd14bdb983985870389b450.pdf?index=true
    • https://667c366a-a9a4-4818-a808-ff480dcf351e.filesusr.com/ugd/15cd4d_11140fddf0894a3f889da1782cd2832a.pdf?index=true
    • https://2b879cf7-da44-467a-acbf-946ce967235d.filesusr.com/ugd/4cf28d_983d1950d2144d54b09fd13cb58de556.pdf?index=true
    • https://c8531830-18d8-4b46-b146-ad65251fea98.filesusr.com/ugd/f91cf1_d61b9f9f623f44e6b43e770b58f1225c.pdf?index=true
    • https://cdn.shopify.com/s/files/1/0431/1403/7409/files/the_road_not_taken_line_by_line_analysis.pdf
    • https://cdn.shopify.com/s/files/1/0433/5458/7288/files/unearthed_arcana_rogue.pdf
    • https://cdn.shopify.com/s/files/1/0432/2318/7614/files/45983301444.pdf
    • https://0225c6ea-c9c6-4348-905f-9205f00c5f33.filesusr.com/ugd/eb6612_ae45dec662024082855cb865a401e659.pdf?index=true
    • https://618adae4-f787-4fe2-871c-4ddb93e2ef8e.filesusr.com/ugd/d5415a_bea2e273261a422fa6416d44857908a3.pdf?index=true
    • https://32cc9f66-3604-42b5-a899-98eecc81f731.filesusr.com/ugd/2ac701_0583edcc85fe4196a9c3da953ff3981a.pdf?index=true
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00006364.bin
536802fc892ba0e993c98a6536f7734e256c92e28600bfe3dbc8958acb17b2be		 pdf-font-stream PDF embedded font (sfnt) at offset 0x6364 4872 bytes
font_01_sfnt_off00007417.bin
e34b12e64cc0baa265f8976d7e2051c7240c8188658d36680e34f77240f93202		 pdf-font-stream PDF embedded font (sfnt) at offset 0x7417 10652 bytes
font_02_sfnt_off000098a1.bin
9f355172d696dda274cac500966718f112ce76951f19577ac4888987ea6471b2		 pdf-font-stream PDF embedded font (sfnt) at offset 0x98A1 4324 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.