Malicious PDF — malware analysis report

Static analysis result for SHA-256 e3c0cb44addb1cb2…

MALICIOUS

PDF

51.4 KB Created: 2020-09-12 07:07:25 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: df46d39e732471e4684a7ab37a3159b1 SHA-1: 7f6b47c279120cf86defbe54a0094783a01daa2c SHA-256: e3c0cb44addb1cb27fedb18cdc13815e5be668388172d310d852a2c3f9a4f4fb
154 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF contains a link that redirects to known malicious infrastructure, as indicated by the PDF_MALICIOUS_REDIRECTOR_LINK heuristic. The document body, though partially corrupted, suggests a lure related to educational material. The PDF_SEO_LINK_FARM heuristic indicates a large number of outbound links, many of which point to the static.usrfiles.com domain, likely part of a link farm to improve search engine ranking for malicious content. The ML_NYX_PDF_MALICIOUS heuristic strongly suggests malicious intent.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 4

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.me/pify?keyword=electron+configuration+and+orbital+diagram+practice+answers
    • http://files.yippeewebdesign.com/uploads/1/3/2/7/132740533/8726418.pdf
    • http://wizariki.ghoulagebrands.com/uploads/1/3/1/4/131453850/6dc38981e871cf9.pdf
    • http://files.theproducerbdb.com/uploads/1/3/2/6/132695639/vozagojilanu.pdf
    • https://static.usrfiles.com/ugd/c8683e_2afd02fb6e5a4eb293d33a6b1ca0af12.pdf
    • https://static.usrfiles.com/ugd/2f7815_846d370c02cd40238f96f17de427abf0.pdf
    • https://static.usrfiles.com/ugd/5bb01c_9cd975a116324c27987dbd75cee6f521.pdf
    • https://static.usrfiles.com/ugd/7603ae_9406cd7d90c34c3f8d84594ed5bb167f.pdf
    • https://static.usrfiles.com/ugd/8b49c6_f93b6c2235364df48463a35ff9a64f0f.pdf
    • https://static.usrfiles.com/ugd/73f3b0_66e5eb6e0e78454198b04eb8b74e11c7.pdf
    • https://static.usrfiles.com/ugd/6f7357_5239a77ad8d240e39a8af418f7e7708e.pdf
    • https://static.usrfiles.com/ugd/4826f5_1b75cea163ef4c79842ff20f2eb476d1.pdf
    • https://static.usrfiles.com/ugd/e948c1_a9cf71b288a74118b0437fb8214856fb.pdf
    • https://static.usrfiles.com/ugd/b8c837_9dab5f8518744f5480a8a1142c8bc6f9.pdf
    • https://static.usrfiles.com/ugd/65d6f7_718706f987474cbca0f5668be2200fdc.pdf
    • https://static.usrfiles.com/ugd/0cd019_daa48e93c6fd4acdb2020359744f1172.pdf
    • https://static.usrfiles.com/ugd/b8c837_58c0e2677d264bdfb97c9b6145d5f366.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 4

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00006524.bin
feac59a474b0036b9addb563d3d1b8bd1b95b713d79002930aa03b397480499f		 pdf-font-stream PDF embedded font (sfnt) at offset 0x6524 5544 bytes
font_01_sfnt_off000077ef.bin
56e63b1d16a696615bc52869f1cb1cb907c38f868b942ba15444595fe1aaebd5		 pdf-font-stream PDF embedded font (sfnt) at offset 0x77EF 10492 bytes
font_02_sfnt_off00009c05.bin
135b61bc7a41198c29115aa914e1ed5c9eb5abf4e5d7d8c7271b2eeba2326a89		 pdf-font-stream PDF embedded font (sfnt) at offset 0x9C05 16288 bytes
font_03_sfnt_off0000b194.bin
4fcfa7c68d76e23b667942a3ac892d2d5d88346478daafc61479ad4df4af3dd3		 pdf-font-stream PDF embedded font (sfnt) at offset 0xB194 4324 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.