PDF malware analysis — malicious · 35931eaef677b831

MALICIOUS

PDF

48.2 KB Created: 2020-08-17 13:57:38 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)

MD5: ba636bf3c3ffce5f28bf775bb421012e SHA-1: 2a84ed082c7d49e157368a038f20194c60879543 SHA-256: 35931eaef677b83197fc527e97e995b78fa08073a3ed31ff10b3e4252d6cc17f

150 Risk Score

Malware Insights

MITRE ATT&CK

T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF contains a link disguised as an admit card download, which redirects to a known malicious URL. The PDF also features a link farm, with many links pointing to Shopify domains, likely for SEO manipulation to increase visibility. The primary malicious URL identified is https://ttraff.cc/pify?keyword=bihar+board+online+admit+card+2020.

Machine Learning

Nyx PDF Classifier malicious score 1.0000

Heuristics 3

PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK

PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM

Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://ttraff.cc/pify?keyword=bihar+board+online+admit+card+2020
- http://files.boutiquetatin.com/uploads/1/3/1/4/131438510/3392112.pdf
- http://files.willowwildedges.com/uploads/1/3/1/8/131856443/xukopiwome-tojazelapiz-kasivezobisu-sunezurawuse.pdf
- http://files.michellepannorsilver.com/uploads/1/3/1/0/131070888/2f8ae263fcf.pdf
- http://zadoja.renegadegreens.com/uploads/1/3/1/4/131437532/2373141.pdf
- https://cdn.shopify.com/s/files/1/0428/8148/2919/files/chip_challenge_download.pdf
- https://cdn.shopify.com/s/files/1/0433/0727/0312/files/fuel_cell_engines_mench.pdf
- https://cdn.shopify.com/s/files/1/0434/1681/3735/files/rugaxilevakisikaparigo.pdf
- https://cdn.shopify.com/s/files/1/0431/5299/8556/files/75682183133.pdf
- https://cdn.shopify.com/s/files/1/0437/6713/6408/files/lojud.pdf
- https://cdn.shopify.com/s/files/1/0428/5366/2883/files/var_mobile_media_itunes_control.pdf
- https://cdn.shopify.com/s/files/1/0431/6463/1195/files/mamufudadewizitivajo.pdf
- https://cdn.shopify.com/s/files/1/0433/8073/6151/files/86536492226.pdf
- https://cdn.shopify.com/s/files/1/0429/0645/2127/files/1269975182.pdf
- https://cdn.shopify.com/s/files/1/0431/8740/4968/files/bezuxopefazakisezevarar.pdf
- https://cdn.shopify.com/s/files/1/0431/7518/2485/files/ajikan_meditation.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 3

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off00006746.bin` `9fd76dba2d47546b2af0946b62a7210635d857225fb6e2aa4738bf250d9b3c02`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x6746	5464 bytes
`font_01_sfnt_off000079aa.bin` `a95439dc157eec1ae02e6b8026cf61625740ae045f90b2f830b1c2db75ed8d21`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x79AA	10136 bytes
`font_02_sfnt_off00009cae.bin` `da4b76809bc2fafffb3621e4775887e7c8a98948b48f78ae2e511df2dc8e4fcb`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x9CAE	6576 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.