PDF malware analysis — malicious · e3fe53578b6d89b1

MALICIOUS

PDF

41.4 KB Created: 2020-09-18 00:14:10 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)

MD5: 9816bfb4935c83358f0712f7a5f1e757 SHA-1: 12fd2d49bc2a74748819f1346f938a4ee500bc65 SHA-256: e3fe53578b6d89b1bc8445c27be3f56d3ed05bb4f6942c90e64a6ab2d94b0c3d

150 Risk Score

Malware Insights

MITRE ATT&CK

T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF contains a mass external link farm, with one prominent link leading to a known malicious redirector. The document body, though heavily obfuscated, contains the same URL as the malicious redirector, suggesting an attempt to disguise the malicious link under a seemingly educational topic. No scripts were extracted from this sample.

Machine Learning

Nyx PDF Classifier malicious score 1.0000

Heuristics 3

PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK

PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM

Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://ttraff.club/wix?keyword=chapter+15+the+second+industrial+revolution+worksheet+answers
- http://jenefodo.jpadventures.com/uploads/1/3/1/4/131406515/xoxoxojovu.pdf
- http://giwedod.laocdb.com/uploads/1/3/1/4/131482916/jagewomum.pdf
- http://muram.bodyandsoulapothecary.com/uploads/1/3/0/7/130739664/c34ed4a.pdf
- http://files.chihdesignltd.com/uploads/1/3/2/8/132814241/roxajadotimijam_wosuzokubuwunux_gubixi.pdf
- https://cdn.shopify.com/s/files/1/0433/9531/7918/files/analisis_de_riesgo_del_trabajo.pdf
- https://cdn.shopify.com/s/files/1/0434/7471/4784/files/jolibavaju.pdf
- https://cdn.shopify.com/s/files/1/0432/8282/5376/files/free_cv_template_word_format.pdf
- https://a0e22bdb-14e5-4e5a-af0c-61ff9226cf6e.filesusr.com/ugd/97aff7_a720b86cd8e64406b04031e2694550be.pdf?index=true
- https://97239b27-87cd-4ab4-911a-b84904747378.filesusr.com/ugd/4cf28d_4e99938f4d0d41a79c77d8a3470e5320.pdf?index=true
- https://66233792-fee5-4fc4-b6da-0b0679d4d7df.filesusr.com/ugd/2e16aa_96083fde3828454cafaf38e915929a1f.pdf?index=true
- https://4ce37f4e-c7b7-4c4a-97b2-afd8ddc0a691.filesusr.com/ugd/ca847e_9a4f03a82727454f800873fc0ea28fff.pdf?index=true
- https://57147374-8d3c-463b-9faa-68cbef14b04b.filesusr.com/ugd/2e79a6_6e4979130c804bdf8e11a92bb35bcbc2.pdf?index=true
- https://8142eebc-d78f-4950-94b1-0b5c8e8369f9.filesusr.com/ugd/98d33d_070e79b5e8fc4de7bb888aed8f2b75fc.pdf?index=true
- https://dbf64e23-b4bf-4db0-938f-8b0600c21a0f.filesusr.com/ugd/3ce946_3b5dec96f90e4f15a62886b9750164a7.pdf?index=true
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off00006337.bin` `2820b5d1bdb91ff52966df8c65dc649a166f86d02e0f7245054d9c2771a5d8d7`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x6337	5460 bytes
`font_01_sfnt_off000075d8.bin` `a2647603abbb790ff25471b7be9bc7c73dbb95b2bc964b47d02dcd651797d163`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x75D8	10060 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.