Malicious PDF — malware analysis report

Static analysis result for SHA-256 f49305a2c1c068ee…

MALICIOUS

PDF

63.3 KB Created: 2020-08-15 19:38:15 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 21abf23b39abab99fde3d7f51666891d SHA-1: 61e9dd77d05963b82932f0fdb97097366b3d68d9 SHA-256: f49305a2c1c068eeb148c6906540deee214808e2cf5bb2f41050eb9c8fa6933f
154 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF contains a heuristic firing for a malicious redirector link, directing users to 'https://ttraff.com/wb?keyword=spongebob%20dihybrid%20crosses%20worksheet%20answer%20key'. The document body also contains this URL, along with numerous other links to PDF files hosted on Shopify domains, suggesting a link farm for SEO poisoning or traffic redirection. The ML classifier strongly flagged this PDF as malicious. No scripts were extracted, but the primary attack vector appears to be social engineering via a deceptive document lure.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 4

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.com/wb?keyword=spongebob%20dihybrid%20crosses%20worksheet%20answer%20key
    • http://files.wrkimages.com/uploads/1/3/2/8/132814906/tugoba.pdf
    • http://files.stergioschatzikyriakidis.com/uploads/1/3/1/0/131070538/veseferunedod.pdf
    • http://pozavema.biggreenadventuretours.com/uploads/1/3/1/6/131606146/mokilera.pdf
    • http://files.tigerflyoutfitters.com/uploads/1/3/1/8/131856277/mifiraxanejek.pdf
    • https://cdn.shopify.com/s/files/1/0432/6470/4662/files/patodibisijapix.pdf
    • https://cdn.shopify.com/s/files/1/0431/0741/8273/files/54313865509.pdf
    • https://cdn.shopify.com/s/files/1/0429/6297/6921/files/vuberipukulimurom.pdf
    • https://cdn.shopify.com/s/files/1/0432/6418/0390/files/73154014509.pdf
    • https://cdn.shopify.com/s/files/1/0431/6263/2360/files/14564950952.pdf
    • https://cdn.shopify.com/s/files/1/0429/3669/6999/files/deruxodibifupuw.pdf
    • https://cdn.shopify.com/s/files/1/0437/7142/9016/files/alouette_in_english.pdf
    • https://cdn.shopify.com/s/files/1/0432/3645/8654/files/47466974782.pdf
    • https://cdn.shopify.com/s/files/1/0428/7404/4579/files/xodamu.pdf
    • https://cdn.shopify.com/s/files/1/0438/4423/9510/files/national_geographic_world_english_3_workbook.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 4

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00009f37.bin
9e930a7addac52418864887927ca661210cf52205186850714eea3b38f618a2a		 pdf-font-stream PDF embedded font (sfnt) at offset 0x9F37 2828 bytes
font_01_sfnt_off0000a932.bin
3cd2bfa6f2df2efb4c5e9a9926bafd4f40fd921f3dc9e6033bcd32814ac0e819		 pdf-font-stream PDF embedded font (sfnt) at offset 0xA932 5592 bytes
font_02_sfnt_off0000bc30.bin
83811126a445dee45957ee10a04345def0046997cb42d92c02c31af1abcf9896		 pdf-font-stream PDF embedded font (sfnt) at offset 0xBC30 10368 bytes
font_03_sfnt_off0000dfa8.bin
781b9fae2fb9201b4a05d2041fea553bb2973f1d011ab9c51e3326c72e342c60		 pdf-font-stream PDF embedded font (sfnt) at offset 0xDFA8 4324 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.