PDF malware analysis — malicious · fe199635608e2c8a

MALICIOUS

PDF

62.9 KB Created: 2020-08-31 20:10:18 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)

MD5: e1a736571989845738cc9a2919e9aaea SHA-1: 02c6ea4a13fac0fbe76713ca36528b6b974bceff SHA-256: fe199635608e2c8a582cce34f82acc5e64d0eaeae93e6be42f48115ec96d94d9

154 Risk Score

Malware Insights

MITRE ATT&CK

T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF contains a link to a known malicious redirector, ttraff.com, which is disguised as a seminar report. This indicates a phishing attempt to lure users to malicious infrastructure. The ML classifier also strongly flagged this PDF as malicious.

Machine Learning

Nyx PDF Classifier malicious score 1.0000

Heuristics 4

PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK

PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM

Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL

The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://ttraff.com/wix?keyword=biomass+fuelled+power+plant+seminar+report+pdf
- https://cdn.shopify.com/s/files/1/0440/7610/5893/files/atmega168pa_datasheet.pdf
- https://cdn.shopify.com/s/files/1/0431/7760/7324/files/sheet_street_christmas_decorations.pdf
- https://cdn.shopify.com/s/files/1/0447/9637/9285/files/37049043113.pdf
- https://cdn.shopify.com/s/files/1/0430/1540/5725/files/nugujime.pdf
- https://cdn.shopify.com/s/files/1/0431/0017/6544/files/soxor.pdf
- https://cdn.shopify.com/s/files/1/0440/6686/5302/files/fudigukiwoge.pdf
- https://cdn.shopify.com/s/files/1/0429/3489/4755/files/4533152639.pdf
- https://cdn.shopify.com/s/files/1/0435/9648/0671/files/calculus_bc_textbook.pdf
- https://cdn.shopify.com/s/files/1/0436/0319/8114/files/magisterial_district_judge_docket_sheet.pdf
- https://cdn.shopify.com/s/files/1/0432/3799/8754/files/interpolating_and_extrapolating_graph_worksheet.pdf
- https://cdn.shopify.com/s/files/1/0431/2442/4853/files/bonibub.pdf
- https://static.usrfiles.com/ugd/b8c837_bb6949bb024f4b61a7ae4258735e01ae.pdf
- https://static.usrfiles.com/ugd/18f527_27d36e28b8e54fbba5e366b76663a9c2.pdf
- https://static.usrfiles.com/ugd/4d935e_ffba2123c6234f30a114bb7965fe78d0.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off0000ae63.bin` `fc670e21c33217810ad47185e7df9066ee8a22096c5f5d55c4389cf2c36dc8c0`	pdf-font-stream	PDF embedded font (sfnt) at offset 0xAE63	5328 bytes
`font_01_sfnt_off0000c079.bin` `faf9d2c1ee4b3eaad1446290f98f8a3a98e23240d523967c6bfd5030399f2173`	pdf-font-stream	PDF embedded font (sfnt) at offset 0xC079	14760 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.