Malicious PDF — malware analysis report

Static analysis result for SHA-256 a5340ba9646f49b3…

MALICIOUS

PDF

53.0 KB Created: 2020-07-07 11:07:38 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: af99ac5956973ad1f5d234cb53f81684 SHA-1: 8452477ce1c483041966516ca5778841a39e267f SHA-256: a5340ba9646f49b3014ede04b131789fb263597345669b28a553ae961468045c
150 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF contains a link to a known malicious redirector, disguised within content related to educational worksheets. The ML classifier strongly indicated maliciousness. The document body, though obfuscated, contains the target URL and numerous other URLs pointing to PDF files, suggesting a link farm or redirection strategy. The primary malicious link is https://ttraff.com/wb?keyword=multiplying%20fractions%20word%20problems%20worksheet%206th%20grade#multiplying+fractions+word+problems+worksheet+6th+grade.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.com/wb?keyword=multiplying%20fractions%20word%20problems%20worksheet%206th%20grade#multiplying+fractions+word+problems+worksheet+6th+grade
    • http://files.sydneynewhorizons.org/uploads/1/3/2/7/132710787/lozaratorepu_tatira.pdf
    • http://files.brushandbranch.co/uploads/1/3/0/7/130740344/2297158.pdf
    • http://files.antoniodavidsinopoli.com/uploads/1/3/0/8/130873907/4090271.pdf
    • http://files.misfitcrusaders.com/uploads/1/3/0/8/130814672/634f8e.pdf
    • http://files.bluenosewoodworks.com/uploads/1/3/2/8/132815961/somokirolurujewikusi.pdf
    • http://files.haralsoncountyhistory.com/uploads/1/3/2/3/132302913/4438840.pdf
    • http://files.sopoochtraining.com/uploads/1/3/2/8/132815961/kawivibugakovuj.pdf
    • https://xakevotakumo.files.wordpress.com/2020/07/43655335298.pdf
    • https://vesavijaba.files.wordpress.com/2020/07/675673566.pdf
    • https://febisixutewo.files.wordpress.com/2020/06/65137408420.pdf
    • https://kuwezara.files.wordpress.com/2020/06/libaselidalovupos.pdf
    • https://bimibalosoj.files.wordpress.com/2020/06/64896616155.pdf
    • https://sosasifen.files.wordpress.com/2020/06/39427615459.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00007432.bin
2b866930834d659b0b37ed2cd7ef62be095c88cdcaba4b191b7be88a3def0999		 pdf-font-stream PDF embedded font (sfnt) at offset 0x7432 6008 bytes
font_01_sfnt_off00008888.bin
1c8bd0d9886245e371315d428e7eb80ef8034768cb8e8c876ca9bea45e436100		 pdf-font-stream PDF embedded font (sfnt) at offset 0x8888 10812 bytes
font_02_sfnt_off0000adc2.bin
09c469605dfb41dd3100a83aa8ebac5e67555267ad4f5be8f0e5856baeb481ea		 pdf-font-stream PDF embedded font (sfnt) at offset 0xADC2 17096 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.