Malicious PDF — malware analysis report

Static analysis result for SHA-256 dc0a4ca22b3371b4…

MALICIOUS

PDF

70.6 KB Created: 2020-08-31 01:39:16 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 0cd0403d5189b49616bb644557c53e87 SHA-1: cc73a613e433b39bb8753de7227ceaf595cb059a SHA-256: dc0a4ca22b3371b41286268043ba2cafa55ee4e0c031aa9a44d847653bdca5ce
152 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF file contains a link to a known malicious redirector, identified by the PDF_MALICIOUS_REDIRECTOR_LINK heuristic. The document body, though heavily obfuscated, contains text related to 'complementary and supplementary angles word problems worksheet' and the malicious URL itself. This suggests a social engineering lure to redirect the user to a harmful site. The ML_NYX_PDF_MALICIOUS heuristic further supports the malicious nature of the file.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 4

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.cc/wix?keyword=complementary+and+supplementary+angles+word+problems+worksheet
    • https://cdn.shopify.com/s/files/1/0429/8221/1735/files/24136744304.pdf
    • https://cdn.shopify.com/s/files/1/0432/7918/8118/files/administrao_por_objetivos_resumo.pdf
    • https://cdn.shopify.com/s/files/1/0433/6844/8152/files/80288749921.pdf
    • https://cdn.shopify.com/s/files/1/0432/5621/7750/files/bridge_to_terabithia_2_return_of_leslie_full_movie_download.pdf
    • https://cdn.shopify.com/s/files/1/0433/9249/9877/files/vameb.pdf
    • https://static.usrfiles.com/ugd/b8c837_a94325fa06044123b800983729688ee5.pdf
    • https://static.usrfiles.com/ugd/b8c837_012066c4100a4d72aa42819e8794940d.pdf
    • https://static.usrfiles.com/ugd/cc14e4_992e59602d604b27b2ddfca8b6d32af8.pdf
    • https://static.usrfiles.com/ugd/b8c837_fb6451e830434a869b0256e0a060551a.pdf
    • https://static.usrfiles.com/ugd/b48b60_f3d3b6ae36a34c34b474c579861cc46d.pdf
    • https://static.usrfiles.com/ugd/5926b4_a5489d2731044cde85c3ed215661008d.pdf
    • https://static.usrfiles.com/ugd/e5a943_fa07803d9738452795c7960b3c81ae47.pdf
    • https://static.usrfiles.com/ugd/b8c837_87d4afba8bcf4aff8f54b9396dfdaab7.pdf
    • https://static.usrfiles.com/ugd/b8c837_941cb09722124005a9a745a8750c1b6b.pdf
    • https://static.usrfiles.com/ugd/b4609a_ef85750b837444a68028d2a6c1b1a8ff.pdf
    • https://cdn.shopify.com/s/files/1/0458/5635/8553/files/pibivizodefi.pdf
    • https://cdn.shopify.com/s/files/1/0437/2869/9553/files/guide_gear_boots.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 4

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000bc3d.bin
dd7b880f1c6958317b71933e3175eb4154b1281d355b69180e4ce829e506ee21		 pdf-font-stream PDF embedded font (sfnt) at offset 0xBC3D 2828 bytes
font_01_sfnt_off0000c637.bin
67d051b180882f2bc7238f7e41c5b8456a79c9964ab5c38eef59e06319d0f2ea		 pdf-font-stream PDF embedded font (sfnt) at offset 0xC637 5628 bytes
font_02_sfnt_off0000d93c.bin
a6c395786923955c28ceb623e54b70069b8d577df25e5f10ff07b18ad88ee3d3		 pdf-font-stream PDF embedded font (sfnt) at offset 0xD93C 10152 bytes
font_03_sfnt_off0000fbaf.bin
4fcfa7c68d76e23b667942a3ac892d2d5d88346478daafc61479ad4df4af3dd3		 pdf-font-stream PDF embedded font (sfnt) at offset 0xFBAF 4324 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.