Malicious PDF — malware analysis report

Static analysis result for SHA-256 ca8243c569371340…

MALICIOUS

PDF

41.9 KB Created: 2020-08-17 10:57:38 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: a09ee14e7068ee6228f07c90ff0a12c5 SHA-1: 0323a9403b5d60553dfd5ac87248d292218f37bd SHA-256: ca8243c569371340655ed4497c0e4cd103a989941747d4372710370f70c7840f
150 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF file contains a heuristic firing for PDF_MALICIOUS_REDIRECTOR_LINK, indicating it points to known malicious infrastructure. Additionally, PDF_SEO_LINK_FARM suggests a large number of outbound links, many of which are likely malicious. The ML_NYX_PDF_MALICIOUS classifier also strongly flagged this file. The document body, though heavily obfuscated, contains a URL that appears to be a lure for an academic essay, which is a common social engineering tactic to encourage clicks on malicious links.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.cc/pify?keyword=hamlet+character+analysis+essay+pdf
    • http://files.cherissethurab.com/uploads/1/3/2/6/132695408/179deb2.pdf
    • http://nerosale.homefrontherald.com/uploads/1/3/1/4/131407815/8897933.pdf
    • http://files.sandiegoiaido.com/uploads/1/3/0/8/130813765/3131509.pdf
    • http://files.monroecounty2020.com/uploads/1/3/1/6/131637177/lotajumamarevu-jebenojemojufu.pdf
    • https://cdn.shopify.com/s/files/1/0431/7652/5984/files/infeccion_del_cordon_umbilical.pdf
    • https://cdn.shopify.com/s/files/1/0433/9403/9975/files/inverse_matrix_in_r.pdf
    • https://cdn.shopify.com/s/files/1/0437/2283/4071/files/bepuwojoguxorezijogi.pdf
    • https://cdn.shopify.com/s/files/1/0433/4131/6249/files/72022326170.pdf
    • https://cdn.shopify.com/s/files/1/0428/7440/5020/files/73049240848.pdf
    • https://cdn.shopify.com/s/files/1/0434/7068/4317/files/18040950088.pdf
    • https://cdn.shopify.com/s/files/1/0434/2464/5272/files/logic_gates_using_diodes_and_transistors.pdf
    • https://cdn.shopify.com/s/files/1/0437/9328/5277/files/35478070959.pdf
    • https://cdn.shopify.com/s/files/1/0430/3713/0914/files/cor_in_r.pdf
    • https://cdn.shopify.com/s/files/1/0433/0687/7080/files/35535883354.pdf
    • https://cdn.shopify.com/s/files/1/0454/1834/8712/files/46559518768.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00006661.bin
95d74f07a04ba86d105c8f0524be6ffb0437b4f9f4b129c7f126ae0f50bccf02		 pdf-font-stream PDF embedded font (sfnt) at offset 0x6661 5456 bytes
font_01_sfnt_off000078cd.bin
006388c1cde738263622ee80dcfc09b0a5d3386f1fc4263d93400e55887a2d49		 pdf-font-stream PDF embedded font (sfnt) at offset 0x78CD 9980 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.