Malicious PDF — malware analysis report

Static analysis result for SHA-256 f7190ffcabb169a0…

MALICIOUS

PDF

54.0 KB Created: 2020-07-26 19:30:33 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: b16c3f16012254701a211df9ce2c8b5a SHA-1: 3377f778c8445871a5698407e7e2be18948a9db9 SHA-256: f7190ffcabb169a093b97bbbc31f17830f9c72e60815b003a64fa93eddce72fa
150 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF contains numerous embedded links, with one specifically pointing to a known malicious redirector. The document body, though heavily obfuscated, appears to be a lure related to 'cursive writing worksheets'. The ML classifier also strongly indicated maliciousness. The primary attack vector involves tricking the user into clicking the malicious link, which then redirects to further malicious infrastructure.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.cc/pify?keyword=cursive+writing+worksheets+pdf
    • http://files.gracecatcollective.com/uploads/1/3/1/4/131437605/b73f2e8d7c.pdf
    • http://files.campbellchallenge.org/uploads/1/3/0/7/130776054/cd768.pdf
    • http://files.homecheftraining.com/uploads/1/3/0/9/130969154/lofineparamuf.pdf
    • http://files.gr
    • https://cdn.shopify.com/s/files/1/0436/9406/3770/files/pudiv.pdf
    • https://cdn.shopify.com/s/files/1/0437/6081/2189/files/70105256443.pdf
    • https://cdn.shopify.com/s/files/1/0430/9729/2949/files/mamovefalifeferowogir.pdf
    • https://cdn.shopify.com/s/files/1/0428/9599/9129/files/segolimubemivigunazofoxi.pdf
    • https://cdn.shopify.com/s/files/1/0430/1471/7597/files/kubewejusanomusokije.pdf
    • https://cdn.shopify.com/s/files/1/0433/8365/2506/files/74688867163.pdf
    • https://cdn.shopify.com/s/files/1/0432/4841/8973/files/13877980096.pdf
    • https://cdn.shopify.com/s/files/1/0429/7133/2767/files/banegebuvupipabewuve.pdf
    • https://cdn.shopify.com/s/files/1/0427/8901/1612/files/sazunanifuteduvelasosi.pdf
    • https://cdn.shopify.com/s/files/1/0429/2483/4982/files/fajelulujujipebofe.pdf
    • https://cdn.shopify.com/s/files/1/0431/5856/9128/files/16866652827.pdf
    • https://cdn.shopify.com/s/files/1/0432/8800/2710/files/wakemokutolikikakidexeb.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00009689.bin
2a0351db43485c9376aed6e6895ada9365fee65014e51bb76a1d285867e8e4e0		 pdf-font-stream PDF embedded font (sfnt) at offset 0x9689 5180 bytes
font_01_sfnt_off0000a845.bin
e919abeaf9f1021cc82450adfc770a56883721127c2ff5bb4c8fefadd248d9fe		 pdf-font-stream PDF embedded font (sfnt) at offset 0xA845 10064 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.