Malicious PDF — malware analysis report

Static analysis result for SHA-256 9cf29164c0a917e3…

MALICIOUS

PDF

42.7 KB Created: 2020-09-16 22:40:13 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 99de9bded78635ce27ab4f230fdad38d SHA-1: b5065998871a39e405956ffd0fda188640a1e6ac SHA-256: 9cf29164c0a917e37205b8eaea5fa33676d2289a8729175cdaa08963980ac7ec
150 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

This PDF file contains a lure for an educational worksheet, but embeds a link to a known malicious redirector. The PDF also contains a large number of external links, characteristic of a link farm, which is a common tactic for SEO poisoning or distributing malware. The ML classifier strongly flagged this PDF as malicious, supporting the conclusion that the embedded links are intended for malicious purposes.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.club/wix?keyword=combining+sentences+worksheet+8th+grade
    • http://senibexa.merrinandsondecorators.co.uk/uploads/1/3/1/3/131379434/3925959.pdf
    • http://sulano.carrshieldcampingbarn.co.uk/uploads/1/3/1/3/131397997/mixulegidejola.pdf
    • http://files.vt-iorg.org/uploads/1/3/1/4/131411688/1100295.pdf
    • http://binalom.vinoetamicis.com/uploads/1/3/1/4/131406821/1425fc6c8d4.pdf
    • https://621b070d-d0a3-462f-9eff-d17f93e7d96c.filesusr.com/ugd/784815_dddf5e5bcd7848cca30b51106cb94d3d.pdf?index=true
    • https://47e8dd91-6b58-4be5-bf1f-e0e1b981c1e2.filesusr.com/ugd/95089d_df2f087e2516476284f5b037242d03c6.pdf?index=true
    • https://618af936-ffb8-4f21-9eb4-fc652dae1b28.filesusr.com/ugd/3d514e_3ae72a779a264acbac3d114ab4c90e4c.pdf?index=true
    • https://38d86348-fbd3-4211-84de-ebcd8c8f7fc5.filesusr.com/ugd/12dc78_993d587f131b4a98810f09c76d9df984.pdf?index=true
    • https://54e2cae4-d495-4a22-bda2-8386d308af15.filesusr.com/ugd/8716ab_add0aa4c48504447857384c709f1cee8.pdf?index=true
    • https://3ea8dea0-b37d-49d8-b76b-2c455cf624dd.filesusr.com/ugd/8a05ec_06331ebacb78475fb24061d89fb0652a.pdf?index=true
    • https://cdn.shopify.com/s/files/1/0432/4658/3976/files/cracked_apk_files.pdf
    • https://cdn.shopify.com/s/files/1/0432/4392/9757/files/nowararaj.pdf
    • https://cdn.shopify.com/s/files/1/0432/0549/2904/files/nafomoba.pdf
    • https://cdn.shopify.com/s/files/1/0429/8814/2743/files/55745468111.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00006814.bin
ef8ac68d4d1d4fa4012b3d878b85dbced89373e98e6478d819df67c9a1957a59		 pdf-font-stream PDF embedded font (sfnt) at offset 0x6814 5716 bytes
font_01_sfnt_off00007b6f.bin
621e24b701bf30ce644f137ed9f78ee9d65ce9ea7ecc746f2f21bcaec85e56b4		 pdf-font-stream PDF embedded font (sfnt) at offset 0x7B6F 10132 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.