PDF malware analysis — malicious · 45807cb6b56ab90f

MALICIOUS

PDF

47.6 KB Created: 2020-08-17 07:57:03 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)

MD5: c3081beed6749194a1afe2b199505a6c SHA-1: b6593ab3823a85f3e661588d9b446c88e7aa1e26 SHA-256: 45807cb6b56ab90f9b5fe29949b3576d16f2c0676157c2e7aebe67866dbfa626

150 Risk Score

Malware Insights

MITRE ATT&CK

T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF contains a link farm and a critical heuristic firing for a malicious redirector. The document body, though heavily obfuscated, contains text related to a scholarship form and the malicious URL. The primary malicious URL is https://ttraff.cc/pify?keyword=hbse+10th+scholarship+form+2019, which is likely used to redirect the user to a further malicious destination.

Machine Learning

Nyx PDF Classifier malicious score 1.0000

Heuristics 3

PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK

PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM

Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://ttraff.cc/pify?keyword=hbse+10th+scholarship+form+2019
- http://dixoxax.whitefishtherapy.com/uploads/1/3/1/4/131406361/pizopezasovovek_waxetarujaf_tutuzukasimur.pdf
- http://zujufu.poetryjockeys.nl/uploads/1/3/1/3/131380213/c286bba9.pdf
- http://files.andreavytlacilova.com/uploads/1/3/0/7/130738918/fubosager.pdf
- http://files.markdalebaptist.org/uploads/1/3/1/0/131070051/2384278fc0ae991.pdf
- http://files.andersonvocal.com/uploads/1/3/0/7/130775025/8056626.pdf
- https://cdn.shopify.com/s/files/1/0438/0744/1053/files/arrow_learning_by_doing.pdf
- https://cdn.shopify.com/s/files/1/0430/6065/8333/files/kavuzogikudelawe.pdf
- https://cdn.shopify.com/s/files/1/0429/2067/3433/files/arcanum_unbounded_free.pdf
- https://cdn.shopify.com/s/files/1/0427/9359/9132/files/31750725286.pdf
- https://cdn.shopify.com/s/files/1/0438/2729/8461/files/memorandum_of_agreement_sample_business_partnership_philippines.pdf
- https://cdn.shopify.com/s/files/1/0428/0942/6079/files/felogofukigemamavefafilem.pdf
- https://cdn.shopify.com/s/files/1/0435/4277/3914/files/fekawujeremuzab.pdf
- https://cdn.shopify.com/s/files/1/0432/7358/4793/files/gibetuzuso.pdf
- https://cdn.shopify.com/s/files/1/0432/1666/6786/files/99091730948.pdf
- https://cdn.shopify.com/s/files/1/0448/0742/2109/files/85099450774.pdf
- https://cdn.shopify.com/s/files/1/0433/1569/1678/files/98428293377.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 3

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off00006580.bin` `816a860383f6316e5ca19ff6b902155d85043492cd52f73ef7694eec0736f10b`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x6580	5840 bytes
`font_01_sfnt_off00007934.bin` `fdbf01aab72766b8f256134ae4a59f6885e2267b0553872fc1b2ac5755517bb3`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x7934	10416 bytes
`font_02_sfnt_off00009d1f.bin` `45f84c337a35e699ab4b94f3b68433b44fbb022d067ef0fe436fd66856700698`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x9D1F	5616 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.