PDF malware analysis — malicious · 877f08da784c8bc2

MALICIOUS

PDF

40.7 KB Created: 2020-08-28 10:20:33 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)

MD5: 239ac7bea41414e1bfe3209fecc63a9f SHA-1: 19e0053c1f87acdbf08690acf3ff8676e6f6e83d SHA-256: 877f08da784c8bc2953bf0c3b8d9cf0b9c7f5737e55aa7b6fc2f129b53c28e11

154 Risk Score

Malware Insights

MITRE ATT&CK

T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF contains numerous links, including one pointing to a known malicious redirector at ttraff.cc. The document body, though heavily obfuscated, contains text related to 'fsa ela reading practice test questi' and a URL that appears to be part of a link farm designed for SEO manipulation. This suggests a phishing or scam attempt disguised as educational content, aiming to redirect users to malicious infrastructure.

Machine Learning

Nyx PDF Classifier malicious score 1.0000

Heuristics 4

PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK

PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM

Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL

The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://ttraff.cc/pify?keyword=fsa+ela+reading+practice+test+questi
- http://files.revivetheroxy.org/uploads/1/3/0/9/130969624/f915fe38be5f.pdf
- https://cdn.shopify.com/s/files/1/0436/9602/9864/files/fodewanel.pdf
- https://cdn.shopify.com/s/files/1/0431/3907/2161/files/85704528457.pdf
- https://cdn.shopify.com/s/files/1/0430/7366/7225/files/vetozexubaxujupirisegufu.pdf
- https://cdn.shopify.com/s/files/1/0435/9153/2699/files/94860773104.pdf
- https://cdn.shopify.com/s/files/1/0431/5650/4744/files/56112104553.pdf
- https://cdn.shopify.com/s/files/1/0437/5959/9777/files/king_crimson_epitaph.pdf
- https://cdn.shopify.com/s/files/1/0434/8762/5369/files/77853586917.pdf
- https://cdn.shopify.com/s/files/1/0431/6079/7333/files/voxengo_voxformer_serial.pdf
- https://cdn.shopify.com/s/files/1/0437/9816/7713/files/sibojodepegizu.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 3

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off000058e8.bin` `b3b188b8c9491feb47eff1f0fc65610575b3b9beea3dfcfba453a1b098664ae7`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x58E8	1716 bytes
`font_01_sfnt_off00006142.bin` `ab23e051d39589b626a14a19a5c9db9ef3c2037429e49e9f4be4c7a84f9169ee`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x6142	5320 bytes
`font_02_sfnt_off0000735b.bin` `bedaeb31b18782124473ed91c617ab5a3991c470337626062c4fc14815ab5094`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x735B	10116 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.