Malicious PDF — malware analysis report

Static analysis result for SHA-256 e3ebed49fc279669…

MALICIOUS

PDF

39.6 KB Created: 2020-09-02 09:31:29 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 0147c3d159b0250de4247b60e625a7b4 SHA-1: e991ba365d52da3a13bbbf79d37452fa1eef0d7e SHA-256: e3ebed49fc27966973bc0790ab29cf7b7bf86bfe3178444ecddf61d5597bd92e
150 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF contains a heuristic firing for a malicious redirector link, specifically pointing to 'https://ttraff.me/wix?keyword=compound+words+worksheets+4th+grade'. Additionally, it exhibits characteristics of a PDF link farm, with numerous embedded URLs, one of which is 'https://cdn.shopify.com/s/files/1/0430/6213/2897/files/bofekizunetazaru.pdf'. The document body, though partially corrupted, contains text related to 'Compound words worksheets 4th grade', suggesting a lure to disguise the malicious intent. The ML classifier also strongly flagged this PDF as malicious.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.me/wix?keyword=compound+words+worksheets+4th+grade
    • https://cdn.shopify.com/s/files/1/0430/6213/2897/files/bofekizunetazaru.pdf
    • https://cdn.shopify.com/s/files/1/0431/5060/6497/files/nibco_butterfly_valves_catalogue.pdf
    • https://cdn.shopify.com/s/files/1/0437/2270/2999/files/nukamu.pdf
    • https://cdn.shopify.com/s/files/1/0430/0079/1191/files/xekutofalerowu.pdf
    • https://cdn.shopify.com/s/files/1/0430/3480/4375/files/braccus_rexs_tower.pdf
    • https://cdn.shopify.com/s/files/1/0428/5959/3894/files/free_best_3d_games_for_android.pdf
    • https://cdn.shopify.com/s/files/1/0433/5347/3189/files/bedemerazuziniwijoder.pdf
    • https://cdn.shopify.com/s/files/1/0433/5996/1247/files/acres_of_diamond_by_russell_conwell.pdf
    • https://cdn.shopify.com/s/files/1/0434/8005/5965/files/gijuwajizukebowe.pdf
    • https://cdn.shopify.com/s/files/1/0428/9835/8432/files/31082235151.pdf
    • https://cdn.shopify.com/s/files/1/0435/3795/7023/files/susaridunifetebewemof.pdf
    • https://cdn.shopify.com/s/files/1/0437/5219/4202/files/audacity_2._3._0_manual_download.pdf
    • https://cdn.shopify.com/s/files/1/0430/1645/4305/files/25439638818.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00005bfe.bin
95cab7b2bca1dedb052dc168ba3c647d1420521142a4f41d26ffdad2c75f275a		 pdf-font-stream PDF embedded font (sfnt) at offset 0x5BFE 5492 bytes
font_01_sfnt_off00006e99.bin
8dfba888744d4f3ffee4658228ef0c93612d7a82896f7cfe20baffe60cbda6f6		 pdf-font-stream PDF embedded font (sfnt) at offset 0x6E99 10176 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.