PDF malware analysis — malicious · b41fb16b3f8ecce5

MALICIOUS

PDF

47.6 KB Created: 2020-09-07 21:02:02 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)

MD5: bbbbd52b75f5873b375eb879bd3837b9 SHA-1: 8d183f312ef9dc971a4a557b4789eef7e33dd0ea SHA-256: b41fb16b3f8ecce5b813dd5f87e619e7030bfbb85e0d552aa296f4a3e7150325

150 Risk Score

Malware Insights

MITRE ATT&CK

T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF file was identified as malicious due to its structure containing a large number of external links, a technique often used for SEO poisoning or to distribute malicious content. Specifically, it features a redirector link to 'https://ttraff.link/wix?keyword=chalmette+elementary+school+uniforms', which is flagged as malicious. The document body, though heavily obfuscated, also contains this URL, reinforcing the malicious intent.

Machine Learning

Nyx PDF Classifier malicious score 1.0000

Heuristics 3

PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK

PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM

Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://ttraff.link/wix?keyword=chalmette+elementary+school+uniforms
- https://static.usrfiles.com/ugd/b8c837_acc9996442cf4f24886946e74f2cdc9d.pdf
- https://static.usrfiles.com/ugd/83e24f_af32eb69051142a39d1bf01fc8b0b888.pdf
- https://static.usrfiles.com/ugd/21e6f2_31bbbf71641a4fdab91fc7bedf0d9520.pdf
- https://static.usrfiles.com/ugd/f1c748_99cc80a1a8db4c799f97bd8b2484995c.pdf
- https://static.usrfiles.com/ugd/11b39a_431293b5e737488aa7ec29405a3f9359.pdf
- https://static.usrfiles.com/ugd/451461_c49a27af0fd84a35b1f5da2773719fd1.pdf
- https://static.usrfiles.com/ugd/2b98a3_81d2a33135764314977777ce06580cfd.pdf
- https://static.usrfiles.com/ugd/f515ca_cdfdfea06c904b83a6bad4df6bedc376.pdf
- https://static.usrfiles.com/ugd/868b90_9e6815c8638c402f8d8763bf8695a65f.pdf
- https://static.usrfiles.com/ugd/3bcfef_f68d5e3fcdfa425c85ca4a109e795476.pdf
- https://static.usrfiles.com/ugd/270e53_361a6b31e1c34934b9e8e3589737327d.pdf
- https://static.usrfiles.com/ugd/850f07_ed9859e8f2e54189b13b604fa1feccda.pdf
- https://static.usrfiles.com/ugd/81d6a4_0fac26d24bcd4f40a7d36968949d1809.pdf
- https://static.usrfiles.com/ugd/b8c837_6c02f632acf84c31aeea09f667e395a6.pdf
- https://static.usrfiles.com/ugd/ad8f3a_56bb35b73bcf41048c173757f4ac7811.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 3

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off00006ef1.bin` `66bcc01c11e1b7825b679162d5cb6436f7272669f0c16b6fdd3607c1604e27a6`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x6EF1	5128 bytes
`font_01_sfnt_off00008040.bin` `00bbff20c34c6482db3a5188f224e0015375495c66e78065fda9836403d74619`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x8040	10184 bytes
`font_02_sfnt_off0000a316.bin` `4fcfa7c68d76e23b667942a3ac892d2d5d88346478daafc61479ad4df4af3dd3`	pdf-font-stream	PDF embedded font (sfnt) at offset 0xA316	4324 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.