Malicious PDF — malware analysis report

Static analysis result for SHA-256 a5707b62207393af…

MALICIOUS

PDF

32.7 KB Created: 2020-09-19 10:49:20 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: c89f21e9ae23929297b46e33e71e0863 SHA-1: e58c4a6c0ff6ef3f66e7173f96418f0903d758c4 SHA-256: a5707b62207393afe6a573c910ce29471d3ee3b06fe6c87fab6726a48b9a47ff
152 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF contains a high number of embedded links, many of which point to a redirector service. The primary malicious link, https://ttraff.link/wix?keyword=infinite+geometric+series+worksheet+with+work, is designed to lure users into clicking by appearing as an academic worksheet. The ML classifier strongly flagged this PDF as malicious, and the presence of a redirector link confirms a malicious intent to direct users to potentially harmful content.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 4

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.link/wix?keyword=infinite+geometric+series+worksheet+with+work
    • https://157e7cef-0d71-454a-822d-fff7d9cc35bd.filesusr.com/ugd/078c79_4014e0ed625049d99cd6df4f735f95e8.pdf?index=true
    • https://634ad8de-b36e-4fc7-84a2-ad9938d14808.filesusr.com/ugd/db1da1_db128d5037df436f97edeb5bfbc6044e.pdf?index=true
    • https://5e94bb32-5753-4625-b755-344a69fb0c51.filesusr.com/ugd/e1c37d_ba128236188e4ffa8bbdeb623d882d7a.pdf?index=true
    • https://3d067792-b5b6-4018-ad7a-eea5e74e6a3a.filesusr.com/ugd/9ec29b_22e45e8d178843fdb9b3a8a557ff8ae1.pdf?index=true
    • https://ad32aa7b-abc8-44a6-b241-941b57a44df6.filesusr.com/ugd/694d5d_bc3e14bf2f474a6685ec094f8a82dde0.pdf?index=true
    • https://ec2d1506-f5c7-485e-ba24-938e986586af.filesusr.com/ugd/85c99c_2a2e99366fab457884c1f40f0a80a1f8.pdf?index=true
    • https://13adeb2c-6c6a-4e01-a282-ac244b7497c3.filesusr.com/ugd/96a426_1b0abb983a7e494b9e491bc95694ecb7.pdf?index=true
    • https://78d6e871-0122-4228-837b-05c747e30ad6.filesusr.com/ugd/f51585_85e3adb6e5804d1d9f31486c9382f532.pdf?index=true
    • https://516abd72-65ed-45eb-8938-d76eadcbba7d.filesusr.com/ugd/e2b09b_e0c0c3105cb5495b8e6abaeef775189e.pdf?index=true
    • https://43054532-0a2e-4834-872a-bb7b09daf89b.filesusr.com/ugd/3cb6cb_32a2630bd35247a0bce56b09cf5dcbdc.pdf?index=true
    • https://c3711273-01ac-455c-a6e8-75db905cd63c.filesusr.com/ugd/4aae87_4eb85662cc334767ab777ec7bbee62dd.pdf?index=true
    • https://e700b1f1-2bc1-4065-a2c9-7a304f05e8e4.filesusr.com/ugd/469aea_341aba6597bc4240b98f45a6cba86f99.pdf?index=true
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00004459.bin
c47e773f9ca736051d7a956d20ea7851d1aed56e2b23328acc4f92ec4d72c420		 pdf-font-stream PDF embedded font (sfnt) at offset 0x4459 5144 bytes
font_01_sfnt_off000055d1.bin
cc93b561b2651e9770ae4c8d71903bd6c5598173d366e6ae68df102bfab7b485		 pdf-font-stream PDF embedded font (sfnt) at offset 0x55D1 9420 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.