Malicious PDF — malware analysis report

Static analysis result for SHA-256 b6a15a7191afcb60…

MALICIOUS

PDF

37.3 KB Created: 2020-09-01 01:12:31 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 03164cb0c1fa9932c3cf69d13780279b SHA-1: 29d4191da6d8338ad1c83d275cb4274c49b2687d SHA-256: b6a15a7191afcb60e15a8fd805f86cf8b58a8741416269157183b843e9e16b07
150 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF document contains a link farm and a primary malicious redirector URL, suggesting a phishing or scam attempt. The document body, though corrupted, contains text related to 'Aitt apprentice exam paper pdf' and the malicious URL, reinforcing the lure. The ML classifier strongly flagged this PDF as malicious. No scripts were extracted, but the presence of a malicious redirector indicates the likely intent is to lead the user to a malicious site for further exploitation or credential harvesting.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.com/wix?keyword=aitt+apprentice+exam+paper+pdf
    • https://static.usrfiles.com/ugd/451461_01a63b007ee74ac580d7014e0dbda740.pdf
    • https://static.usrfiles.com/ugd/3f0e57_72cbf9d8249f46e4a8f5409fb108d026.pdf
    • https://static.usrfiles.com/ugd/fb83f1_1d10a45e7152449a99cf99a254ab139f.pdf
    • https://static.usrfiles.com/ugd/b8c837_b818b6c3533a4e4dbe5128b69367856b.pdf
    • https://cdn.shopify.com/s/files/1/0428/6955/5359/files/birth_control_options_spanish.pdf
    • https://cdn.shopify.com/s/files/1/0438/3830/8512/files/bookmarks_in_word_not_working_in.pdf
    • https://cdn.shopify.com/s/files/1/0429/4639/6326/files/journal_of_agricultural_and_food_chemistry.pdf
    • https://cdn.shopify.com/s/files/1/0435/6079/6318/files/senizuvaxupejagi.pdf
    • https://static.usrfiles.com/ugd/a1fb72_6840afa5e340420b999d6af4d84fa4d2.pdf
    • https://static.usrfiles.com/ugd/99afdc_7cc2ea924b81429aa2bd6a71a9b0ace5.pdf
    • https://static.usrfiles.com/ugd/87fdc7_a68a09c812d4499da0307a8804335b6c.pdf
    • https://static.usrfiles.com/ugd/b8c837_55bf3f6d318a4a059be0e1e5e90bd68c.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00005444.bin
90c631c755b423b4dad93570c26b8662f84a93d3e9a59384027ac87b67db3a6c		 pdf-font-stream PDF embedded font (sfnt) at offset 0x5444 5148 bytes
font_01_sfnt_off000065bb.bin
b3fd49e3c0117fb5d847dcd57f812a8f085ca37df461cd8dcd4df28250625890		 pdf-font-stream PDF embedded font (sfnt) at offset 0x65BB 10280 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.