PDF malware analysis — malicious · 0300480df09d601a

MALICIOUS

PDF

42.3 KB Created: 2020-08-31 08:47:13 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)

MD5: aff1fdf137a126cd3ceb61813c6a27c1 SHA-1: 487480cc0f5ba7d14b0a61fce98530e289765fad SHA-256: 0300480df09d601a03e10cb102a560d4da03ee948935394e4512db1dc3b4f2a5

154 Risk Score

Malware Insights

MITRE ATT&CK

T1566.001 Spearphishing Attachment

The PDF contains a critical heuristic firing for a malicious redirector link pointing to 'https://ttraff.cc/wix?keyword=unity+gi+cache'. Additionally, it exhibits characteristics of a PDF link farm, with numerous external links, including one to a Shopify domain. The ML classifier strongly indicates maliciousness. The embedded document body, though heavily obfuscated, contains the malicious URL, suggesting an attempt to lure the user to a harmful site.

Machine Learning

Nyx PDF Classifier malicious score 1.0000

Heuristics 4

PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK

PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM

Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL

The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://ttraff.cc/wix?keyword=unity+gi+cache
- http://www.ascendercorp.com/
- http://www.ascendercorp.com/typedesigners.html
- http://www.daltonmaag.com/
- https://cdn.shopify.com/s/files/1/0434/5197/3799/files/17368736882.pdf
- https://cdn.shopify.com/s/files/1/0435/3651/5224/files/95886642952.pdf
- https://cdn.shopify.com/s/files/1/0427/6974/4028/files/nitifasirowe.pdf
- https://cdn.shopify.com/s/files/1/0427/4041/6678/files/53429039075.pdf
- https://static.usrfiles.com/ugd/b8c837_48f1ac0621084e2fa3e0a556ab16f75d.pdf
- https://static.usrfiles.com/ugd/7603ae_1dce1717e156408d8badb47c5d6966c4.pdf
- https://static.usrfiles.com/ugd/b8bbd7_b3276632fb2b4971b507ddfde41d6b2d.pdf
- https://static.usrfiles.com/ugd/3f0e57_bf9d13120d89418dae0e3cefcaa4679b.pdf
- https://static.usrfiles.com/ugd/97368a_711752ced2994e8ab715e962093d7cf4.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/
- http://scripts.sil.org/OFL

Extracted artifacts 3

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off00005d67.bin` `4e6ca63d84779d972616fe4ae96cd581f43bdbfa0ff63a85a364ab4cde308802`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x5D67	4528 bytes
`font_01_sfnt_off00006cc6.bin` `e2766f0338d86e57e4592536f9a5f7eda464d037c7dd173b00d6ccefcccad70d`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x6CC6	9948 bytes
`font_02_sfnt_off00008ee0.bin` `0d0f64e27578eb124b8bc81c7eceacdd166e22eddd95c81328e9fbd7de2a6333`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x8EE0	4324 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.