PDF malware analysis — malicious · fb6a766dfe6a2d4a

MALICIOUS

PDF

52.5 KB Created: 2020-08-06 01:51:02 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)

MD5: bc7d5bf8405cd16360a22671e94b8cf2 SHA-1: ea156677f1911616945583ef0aa68043f08bdcf1 SHA-256: fb6a766dfe6a2d4a5fdfb586910a7ce29b77e84fa2b81a1533b91ae9e0b89842

150 Risk Score

Malware Insights

MITRE ATT&CK

T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF contains a malicious redirector link disguised as educational material. The heuristic PDF_MALICIOUS_REDIRECTOR_LINK indicates the primary URL leads to malicious infrastructure. The PDF_SEO_LINK_FARM heuristic suggests the document is part of a larger link farm designed to attract traffic. The ML_NYX_PDF_MALICIOUS model strongly supports the malicious classification.

Machine Learning

Nyx PDF Classifier malicious score 1.0000

Heuristics 3

PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK

PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM

Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://ttraff.ru/pify?keyword=ncert+class+12+accountancy+part+1+pdf
- http://files.h-mun.com/uploads/1/3/1/3/131379296/tofazaduf.pdf
- http://files.peterandrewsoam.com/uploads/1/3/1/8/131872178/paludapakifewuvapi.pdf
- http://files.saharasistasols.com/uploads/1/3/0/7/130775145/wolesilerube.pdf
- https://cdn.shopify
- https://cdn.shopify.com/s/files/1/0432/3006/8898/files/82481031561.pdf
- https://cdn.shopify.com/s/files/1/0436/9140/9558/files/75373331918.pdf
- https://cdn.shopify.com/s/files/1/0434/5249/8070/files/19169751426.pdf
- https://cdn.shopify.com/s/files/1/0431/6246/8516/files/87980496289.pdf
- https://cdn.shopify.com/s/files/1/0437/1460/9303/files/82704520014.pdf
- https://cdn.shopify.com/s/files/1/0431/3110/9538/files/78559103054.pdf
- https://cdn.shopify.com/s/files/1/0431/0673/0144/files/83255125657.pdf
- https://cdn.shopify.com/s/files/1/0429/7365/9292/files/23508359505.pdf
- https://cdn.shopify.com/s/files/1/0431/6397/5835/files/sazemajazokirefuzafamupir.pdf
- https://cdn.shopify.com/s/files/1/0431/7505/1421/files/27165730186.pdf
- https://cdn.shopify.com/s/files/1/0433/7080/7459/files/xunifi.pdf
- https://cdn.shopify.com/s/files/1/0448/6122/7169/files/lion_otter_beaver_retriever_test.pdf
- https://cdn.shopify.com/s/files/1/0438/5082/5893/files/arris_tm822_manual.pdf
- https://cdn.shopify.com/s/files/1/0431/2032/8864/files/rifisemu.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 3

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off000073e7.bin` `74c977e97434d2a4260f28922fee916dee6c075b16d15bdf061ace2ddd1bdb22`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x73E7	5404 bytes
`font_01_sfnt_off0000866f.bin` `f1a1eb4e715b1744cdd3ae8fa926a5602acc795d55c31251176d19828f2f945a`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x866F	10100 bytes
`font_02_sfnt_off0000a91e.bin` `0c2ca167476a4e9f3c9c7d79ef71e9b25debb60c071bdeaa95ca140a9bf8b2e1`	pdf-font-stream	PDF embedded font (sfnt) at offset 0xA91E	8188 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.