Malicious PDF — malware analysis report

Static analysis result for SHA-256 d8268b293f6c29c9…

MALICIOUS

PDF

43.5 KB Created: 2020-08-11 19:22:39 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: a0ac07bf0f2d3f2a77413fe4bca473dd SHA-1: 71d1efcf5fb5874adc00537d53553edcda170ad6 SHA-256: d8268b293f6c29c9caafbe7ce08ead4d890e3732e1e6a1b90e387e65e1459b7f
150 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF contains a large number of external links, many pointing to Shopify domains, but one critical link redirects to a known malicious domain (ttraff.ru). This indicates a link farm or redirection tactic to obscure the final malicious destination. The document body, though heavily obfuscated, contains the text 'Square roots of negative numbers worksheet pdf' and the malicious URL, suggesting a lure to trick users into clicking the link. The presence of numerous links and the redirection to a malicious URL strongly suggest a phishing or malware distribution attempt.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.ru/pify?keyword=square+roots+of+negative+numbers+worksheet+pdf
    • http://files.safe-t-systems.net/uploads/1/3/0/7/130739490/4bc6d613f9d45.pdf
    • http://worew.heartwoodfamilywellness.com/uploads/1/3/2/6/132681233/xowopazagemizegowos.pdf
    • http://files.editmythesis.com.au/uploads/1/3/0/7/130740625/9427137.pdf
    • http://files.kicksvilleshop.com/uploads/1/3/2/7/132710665/wosit_gadusujuleb_jemilapoborifu.pdf
    • https://cdn.shopify.com/s/files/1/0438/2906/7933/files/balifadub.pdf
    • https://cdn.shopify.com/s/files/1/0433/6487/6453/files/walowugowo.pdf
    • https://cdn.shopify.com/s/files/1/0430/0803/2922/files/tolaruzuditebowuveb.pdf
    • https://cdn.shopify.com/s/files/1/0437/8230/7989/files/71554152869.pdf
    • https://cdn.shopify.com/s/files/1/0431/5614/4282/files/biggan_chinta_2020.pdf
    • https://cdn.shopify.com/s/files/1/0433/8299/7148/files/dukajepa.pdf
    • https://cdn.shopify.com/s/files/1/0440/7430/3640/files/rosetta_stone_mandarin.pdf
    • https://cdn.shopify.com/s/files/1/0436/5071/1705/files/mifajalepagiravofaxojo.pdf
    • https://cdn.shopify.com/s/files/1/0434/4017/7308/files/33401617163.pdf
    • https://cdn.shopify.com/s/files/1/0430/9804/6621/files/52526833922.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000069a0.bin
ba9884556a08add5739aa81622d84626ac565dd8a29bb7c1d9f4e8458c15fa87		 pdf-font-stream PDF embedded font (sfnt) at offset 0x69A0 6008 bytes
font_01_sfnt_off00007def.bin
221f4debcd763e68c8c371e8d8ba2dfc56b742c1649bef74b31c9d0d5ce6ca01		 pdf-font-stream PDF embedded font (sfnt) at offset 0x7DEF 10192 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.