PDF malware analysis — malicious · 3b881c86fb861878

MALICIOUS

PDF

44.2 KB Created: 2020-09-02 13:16:22 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)

MD5: d2e32f7ceed01926cd75f2747f171a5e SHA-1: fc9f6ac473f3c64b2bd72e2257838d51532b5395 SHA-256: 3b881c86fb861878cd073c64737e81d4e1a9b904fcb95a4749c0f723c31bd3b2

152 Risk Score

Malware Insights

MITRE ATT&CK

T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF contains a link farm designed to redirect users to malicious infrastructure. The primary malicious URL identified is https://ttraff.me/wix?keyword=5th+grade+nonfiction+reading+comprehension+worksheets. The document body, though heavily obfuscated, contains references to educational worksheets, likely a lure to disguise the malicious intent. The ML classifier strongly supports the malicious verdict.

Machine Learning

Nyx PDF Classifier malicious score 1.0000

Heuristics 4

PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK

PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM

Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL

The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://ttraff.me/wix?keyword=5th+grade+nonfiction+reading+comprehension+worksheets
- https://static.usrfiles.com/ugd/74e9cf_805039c6d17041d5a595847ddc753e29.pdf
- https://static.usrfiles.com/ugd/b8c837_9548bc96a7074bd3b6b505c4f8f6eca4.pdf
- https://static.usrfiles.com/ugd/1d64af_244619bdce56400c91b2547d14908d99.pdf
- https://cdn.shopify.com/s/files/1/0440/0575/2997/files/boeing_747_maintenance_manual.pdf
- https://static.usrfiles.com/ugd/35ddae_b1c5b278ba014d208f009f16445fed6c.pdf
- https://static.usrfiles.com/ugd/b8c837_3f2fac69a3194e92864e903fbfe23559.pdf
- https://static.usrfiles.com/ugd/7ff653_e7772f4f6fbf420498a53e6958808981.pdf
- https://static.usrfiles.com/ugd/269bb8_6db2898321f54e009abc65a627f1211c.pdf
- https://static.usrfiles.com/ugd/b8c837_146b08c34cde469494a55c87ba4bcac1.pdf
- https://cdn.shopify.com/s/files/1/0439/3716/9576/files/juliresezelifoje.pdf
- https://cdn.shopify.com/s/files/1/0434/7982/6597/files/engineering_economy_8th_edition_solu.pdf
- https://cdn.shopify.com/s/files/1/0434/5639/7474/files/read_50_shades_of_grey.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off00006d29.bin` `ecbe59b114f43559e1740decc94b865f23ced71eff2face410fe4d875fc89a0f`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x6D29	5724 bytes
`font_01_sfnt_off00008091.bin` `566c7d129e388d3f574e20f4cdbc716e16359802c453b7faf45534979c96b949`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x8091	10344 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.