Malicious PDF — malware analysis report

Static analysis result for SHA-256 d6b533f91b8fd3e4…

MALICIOUS

PDF

54.7 KB Created: 2020-09-16 14:19:58 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: d14f5759e06126595499ef3149ebb8ac SHA-1: 7529a2ba623c1a0f4cbeb3ce5ebd2a225b813ff7 SHA-256: d6b533f91b8fd3e458acb8934018b1e94fdb462611c22ecab1f2a4aac1045fb5
152 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell T1204.002 Malicious Link

This PDF document contains multiple embedded links, with one specifically identified as a malicious redirector. The document body text, though obfuscated, contains the string 'Internet safety games for high school students' and a URL that points to malicious infrastructure, indicating a phishing or social engineering attempt. The ML classifier also strongly flagged this PDF as malicious.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 4

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.me/wix?keyword=internet+safety+games+for+high+school+students
    • http://files.cbiky.org/uploads/1/3/1/4/131455621/dc393da805dec0.pdf
    • http://mufosikow.1798bbq.com/uploads/1/3/2/8/132816066/resuxipotuwok_gutewome_vowivogat_katepemegawi.pdf
    • https://64f5dc66-eba9-44e7-aef2-0317ed581e6a.filesusr.com/ugd/e948c1_1ea2e09b28094b12a4d2db7f3fbeb7c8.pdf?index=true
    • https://35524e56-22b8-45d7-86c4-e05bb2650f9a.filesusr.com/ugd/f1780b_367e58c57f8f4dc5bf7f47b816ad1c81.pdf?index=true
    • https://8f33a481-cece-4811-a6d6-28cedb1a338b.filesusr.com/ugd/110ef3_4e9286fb94054995b45370bf38904395.pdf?index=true
    • https://6b147fec-6574-48bf-9ec7-e112632b8eda.filesusr.com/ugd/110ef3_c673ffe798044072bf2e23137d8afba7.pdf?index=true
    • https://cdn.shopify.com/s/files/1/0429/6117/4687/files/configurar_apn_telcel.pdf
    • https://cdn.shopify.com/s/files/1/0433/8502/8764/files/netefafegiboluvesenube.pdf
    • https://cdn.shopify.com/s/files/1/0440/2987/0245/files/cbse_guide_for_class_10.pdf
    • https://cdn.shopify.com/s/files/1/0436/5149/8142/files/84560028555.pdf
    • https://cdn.shopify.com/s/files/1/0431/8406/2626/files/watch_yes_man_online_free.pdf
    • https://6a76a58f-da07-4b50-9287-0d4295539517.filesusr.com/ugd/565485_8fbed1fe97294fc4b29b6d4682ada4e1.pdf?index=true
    • https://320497c6-5327-4e58-b18c-31287c159d8f.filesusr.com/ugd/610d21_67624ee0efe74a64818bff6f2b4d6637.pdf?index=true
    • https://1fd1e46d-7e27-4981-8a6e-81f7f7feb1ab.filesusr.com/ugd/f1780b_ea2d04bf26524c758be65ef2745fe9e0.pdf?index=true
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • https://1fd1e46d-7e27-4981-8a6e-81f7f7feb1ab.filesusr.com/ugd/f1780b_ea2d04bf26524c758be65ef2745fe9e0.pdf?in

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00008a24.bin
23c008cd1f826064d173468ee69a37597846ab74d1e5e5487ffc84ede5ff9b55		 pdf-font-stream PDF embedded font (sfnt) at offset 0x8A24 5356 bytes
font_01_sfnt_off00009c29.bin
5263f5d5ebffbf89d787cd1715586bb202839a659b3c695eaa9a59d9745000d8		 pdf-font-stream PDF embedded font (sfnt) at offset 0x9C29 10456 bytes
font_02_sfnt_off0000bffc.bin
0d0f64e27578eb124b8bc81c7eceacdd166e22eddd95c81328e9fbd7de2a6333		 pdf-font-stream PDF embedded font (sfnt) at offset 0xBFFC 4324 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.