PDF malware analysis — malicious · 55665ac9a7a0c9f1

MALICIOUS

PDF

43.1 KB Created: 2020-08-21 22:03:11 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)

MD5: d564650c4cd1645dc1d3dd4151f7bc84 SHA-1: 6a511c987d420b23d315b5cfcb39048e748df5af SHA-256: 55665ac9a7a0c9f1c27abc87bf5dca8305aa63e70cd81abff13849592207aeec

160 Risk Score

Malware Insights

MITRE ATT&CK

T1566.002 Spearphishing Attachment T1059.001 PowerShell T1204.002 Malicious Link

The PDF file contains a lure for "Byju app apk" and embeds a large number of external links, many of which point to a redirector. One critical heuristic indicates the PDF links to known malicious redirector infrastructure, specifically `https://ttraff.cc/pify?keyword=byju+app++apk`. Another heuristic identifies this as an advance-fee scam lure, suggesting the intent is to trick users into clicking malicious links under the guise of a prize or delivery. No scripts were extracted from this sample.

Heuristics 4

PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK

PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM

Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
Advance-fee lottery/parcel scam lure high SE_ADVANCE_FEE_SCAM_LURE

Document contains lottery/beneficiary or prize language together with large-value draft/funds wording and parcel/courier delivery requirements. This is a classic advance-fee fraud document shape.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://ttraff.cc/pify?keyword=byju+app++apk
- http://weluji.michaljphotography.com/uploads/1/3/0/7/130775173/4070900.pdf
- http://kotija.acct301.ehabacademy.com/uploads/1/3/0/8/130813714/bupolo.pdf
- http://files.globalreg.info/uploads/1/3/0/8/130874110/1a5b226958dc.pdf
- http://files.cloverdalepreschool.com/uploads/1/3/1/8/131857580/345f1d.pdf
- https://cdn.shopify.com/s/files/1/0434/6734/1981/files/fusionner_2_documents_en_un_seul.pdf
- https://cdn.shopify.com/s/files/1/0438/1186/4738/files/55522670142.pdf
- https://cdn.shopify.com/s/files/1/0435/2190/0696/files/tecnicas_de_busqueda_de_informacion.pdf
- https://cdn.shopify.com/s/files/1/0462/2680/0791/files/getuvezevajoposutujut.pdf
- https://cdn.shopify.com/s/files/1/0431/1705/2066/files/rijijanomaminogomizuravat.pdf
- https://cdn.shopify.com/s/files/1/0440/1594/3845/files/characteristics_of_enterobacteriaceae.pdf
- https://cdn.shopify.com/s/files/1/0433/9164/7894/files/27390780880.pdf
- https://cdn.shopify.com/s/files/1/0437/0743/3125/files/talutefupaw.pdf
- https://cdn.shopify.com/s/files/1/0432/8760/9497/files/tapisivugoj.pdf
- https://cdn.shopify.com/s/files/1/0432/9390/0958/files/46686767726.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off00006bea.bin` `299857f837d56f9af8208ef81457e04d85bb9feaad2d20f4d4dff60ffd5d5b92`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x6BEA	4796 bytes
`font_01_sfnt_off00007c67.bin` `c062c3ef727857a19413934f5b11a42d47392dec710b82fb0a6d6e2d7ea1c736`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x7C67	10496 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.