PDF malware analysis — malicious · d0a396344ccf1688

MALICIOUS

PDF

47.2 KB Created: 2020-10-08 04:49:17 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2021-05-22

MD5: 2e7f765dfcfe88692a84b30bbb9f790c SHA-1: 88f944d649f41cf49362f3483f567636e38090d6 SHA-256: d0a396344ccf1688ac68ef3116dc80fea1182b1e39ceae130303faef09549311

184 Risk Score

Malware Insights

MITRE ATT&CK

T1566.001 Spearphishing Attachment

This PDF document is designed as a link farm, presenting a seemingly innocuous title ('Chemistry unit 4 review answer key') to entice users. It contains numerous links, including one pointing to a known malicious redirector infrastructure (ttraff.link), indicating an attempt to lead users to harmful content. The ML classifier strongly flagged this PDF as malicious, supporting the assessment of a malicious redirection attack.

Machine Learning

Nyx PDF Classifier malicious score 1.0000

Heuristics 5

PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK

PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM

Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM

Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL

The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://ttraff.link/pify?keyword=chemistry+unit+4+review+answer+key In PDF document text
- http://nizadox.goodshift.com/uploads/1/3/1/1/131163782/2858429.pdfIn PDF document text
- http://dapikeda.tedxsandhillscc.org/uploads/1/3/2/7/132740865/5100739.pdfIn PDF document text
- http://files.kootsie.com/uploads/1/3/0/7/130775825/nawidane.pdfIn PDF document text
- https://site-1036745.mozfiles.com/files/1036745/poronokirakoxadomusuraf.pdfIn PDF document text
- https://site-1039428.mozfiles.com/files/1039428/dukesenetom.pdfIn PDF document text
- https://site-1036923.mozfiles.com/files/1036923/runegusuwa.pdfIn PDF document text
- https://site-1036678.mozfiles.com/files/1036678/budavabemipupudadiruja.pdfIn PDF document text
- http://www.ascendercorp.com/In PDF document text
- http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
- https://uploads.strikinglycdn.com/files/a8789d36-2b15-4f7b-b201-edf60d6025a8/64093559522.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/768bb7ab-74e4-4b29-bdbb-e51ee71f58a2/52467557322.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/0c6a455c-bca8-4dd6-bd7b-0cb4827f3322/soxisawavumivinido.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/26ff5861-139c-4649-bffd-92b17597e2fa/makirumofevit.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/c214acfe-7046-405a-b251-1fac177d6277/2965555794.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/a2cbc3ea-179a-44f1-9d41-9edb656cfad2/dofexoned.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/e1979b2f-1b57-4a8c-9dbd-799b6ed1720b/mobajesumajurelajivem.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/25924065-309c-46c0-91e2-64fa42f7520c/60885334459.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/3bf5b8d8-661d-4bba-b57e-75d43dbd67e3/58830325585.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/7d1f55df-23ea-4389-89ff-9081604a207b/77777814684.pdfIn PDF document text
- http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
- http://purl.org/dc/elements/1.1/In PDF document text
- http://ns.adobe.com/pdf/1.3/In PDF document text
- http://ns.adobe.com/xap/1.0/In PDF document text
- http://ns.adobe.com/xap/1.0/mm/In PDF document text
- http://ns.adobe.com/xap/1.0/rights/In PDF document text
- http://scripts.sil.org/OFLIn PDF document text

Extracted artifacts 2

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off00007b26.bin`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x7B26	5204 bytes
SHA-256: `8e04c78b57cfff5e1cfd20c2bff77d99dad5cf18d84112f0cb656ebb8ff0474c`
`font_01_sfnt_off00008cc3.bin`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x8CC3	10244 bytes
SHA-256: `1ceff649ab7c842235c68fee0b23f14c367e686b7e68e92314ec64414f332bdd`

Open this report in the interactive analyzer, or submit your own file for analysis.