Malicious PDF — malware analysis report

Static analysis result for SHA-256 fb2d61c27f860cf2…

MALICIOUS

PDF

45.0 KB Created: 2020-08-30 21:20:46 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: c6b4ceb9d20ec76f475d9d6e9214b35d SHA-1: 4495656c3b64582efbdcaeb5301d76fab6d2564f SHA-256: fb2d61c27f860cf2567f052d8a5af643130e74b679cb91ae94a262de57267f72
152 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF contains a link that redirects to a malicious domain, as indicated by the PDF_MALICIOUS_REDIRECTOR_LINK heuristic. The document body, though heavily obfuscated, contains text suggesting a lure related to a business accounting textbook. The PDF_SEO_LINK_FARM heuristic indicates a large number of outbound links, likely for SEO manipulation or to distribute the malicious payload. The ML_NYX_PDF_MALICIOUS heuristic strongly supports the malicious classification.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 4

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.me/wix?keyword=frank+wood+business+accounting+1+14th+edition+pdf
    • https://static.usrfiles.com/ugd/41a0b6_78996529a21645e785f8d2f6bad8432d.pdf
    • https://static.usrfiles.com/ugd/b8c837_ee1325504ed1429fb9beb20de4d50bf7.pdf
    • https://static.usrfiles.com/ugd/b8c837_e03fbc2826624aef8dd0d6211dca4743.pdf
    • https://static.usrfiles.com/ugd/b8c837_36494b0bbf4a44a7b0824d11e60dc957.pdf
    • https://static.usrfiles.com/ugd/086daf_5c20e4eda7344ce0a2a50d01681fcd86.pdf
    • https://static.usrfiles.com/ugd/b8c837_b71340a52ce44950926d405c7b26cc05.pdf
    • https://static.usrfiles.com/ugd/b8c837_e962df802f1f4e73a24d8e0deb434db3.pdf
    • https://static.usrfiles.com/ugd/b8c837_e6074e6653574cd1ae5f8497ca3ed827.pdf
    • https://static.usrfiles.com/ugd/b8c837_3d11e7ab723e474db2ac34467a97e171.pdf
    • https://static.usrfiles.com/ugd/c1615c_8d191c0d30e040b7b696a1ce7af4c4f4.pdf
    • https://static.usrfiles.com/ugd/b8c837_00b3841e60a445598df8d3c5c2635e84.pdf
    • https://static.usrfiles.com/ugd/b8c837_8851dfdb54e04661ba2ea098443a24b2.pdf
    • https://static.usrfiles.com/ugd/b8c837_e1f893424f6f45a6bf6d60411436a869.pdf
    • https://static.usrfiles.com/ugd/b8c837_9111885aa33d4c6ead162a81e014f658.pdf
    • https://static.usrfiles.com/ugd/b8c837_73d299d862fd4e2e9863d1280a5e008d.pdf
    • https://static.usrfiles.com/ugd/41a0b6_318d5c05f2e749e187384575010ea5c7.pdf
    • https://static.usrfiles.com/ugd/5bb01c_bc43148c33a64923947cfc4230ade55f.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00006ef1.bin
6cc6af7e58bd0754600ce425062964e91f0dc0821692459a04beb0a1cda18887		 pdf-font-stream PDF embedded font (sfnt) at offset 0x6EF1 5776 bytes
font_01_sfnt_off000082bd.bin
78691aa00f98033d3885604097448675df53b96b3361cb96eab44473719b22dc		 pdf-font-stream PDF embedded font (sfnt) at offset 0x82BD 10576 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.