Malicious PDF — malware analysis report

Static analysis result for SHA-256 f267a4dd2cce879f…

MALICIOUS

PDF

39.4 KB Created: 2020-08-31 18:21:44 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: a7813021572f4777ecd9754f134068a7 SHA-1: f211f944ca8ba325695ece8f2e5f8cad71c6f52c SHA-256: f267a4dd2cce879facc42a9bad6dcdf9cbccceeede8d5fd331a3c5b229f9ed67
150 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF file contains a link farm and a specific URL that is flagged as a malicious redirector. The document body, though heavily obfuscated, contains text related to 'dance class admission form' and the malicious URL, suggesting a social engineering lure. The presence of numerous external PDF links points to a link farm strategy, likely to obscure the ultimate destination or to improve search engine ranking for malicious content.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.cc/wix?keyword=dance+class+admission+form+format+pdf
    • https://static.usrfiles.com/ugd/ade4e6_f58248ed85574017af4b3e0333382a96.pdf
    • https://static.usrfiles.com/ugd/19103d_1f33f70a79ed423b8d16bdf43a0c6ef8.pdf
    • https://static.usrfiles.com/ugd/8cbfce_bfd5ca0ec4b0432b9254dbde91189bc0.pdf
    • https://static.usrfiles.com/ugd/7f46b5_195063b1f7f24ba898e904b53cdf0a2f.pdf
    • https://static.usrfiles.com/ugd/ce0e6d_da9e3bc05ac64a9bbcea6a51f1309d49.pdf
    • https://static.usrfiles.com/ugd/b8c837_b7293820846345b09da5246d5c378f22.pdf
    • https://static.usrfiles.com/ugd/36f25b_986684dfd6444b769acf1eef1f7458f9.pdf
    • https://static.usrfiles.com/ugd/97368a_6c1bffffee534cd09b059cc27d9519fa.pdf
    • https://static.usrfiles.com/ugd/b4a829_2aa84817e4894976a2cada6fe992c193.pdf
    • https://static.usrfiles.com/ugd/0286dd_a44684fe280f4a5b80fe742ef56f5bfe.pdf
    • https://static.usrfiles.com/ugd/b8c837_e798da19405e44519cb2ee4972d8b6a2.pdf
    • https://static.usrfiles.com/ugd/6da380_b678d9663aa1432d9f333eeb25869f1b.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00005db2.bin
c5b47f8a1fcd4a8a8247b41f5f962d63fe7e1a5c5f5291640fb12bdd4573a727		 pdf-font-stream PDF embedded font (sfnt) at offset 0x5DB2 5300 bytes
font_01_sfnt_off00006fa4.bin
f11e96689ae2bcd2faefacccbde46b4c8a20abe2dae9a24d8db837de121df123		 pdf-font-stream PDF embedded font (sfnt) at offset 0x6FA4 9848 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.