PDF malware analysis — malicious · 046c358705d1aed6

MALICIOUS

PDF

36.7 KB Created: 2020-08-31 01:30:41 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)

MD5: 15a54e92e92a4c1e68331dce1a6c7fbc SHA-1: 5f9483c0872e45cbfb306591519a8fc8c990f4b5 SHA-256: 046c358705d1aed6a85b81e4d7784557f884edfdccf3cda19c788727e936af4c

154 Risk Score

Malware Insights

MITRE ATT&CK

T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF contains a large number of embedded links, many pointing to Shopify domains hosting other PDFs, suggesting a link farm or SEO poisoning tactic. One critical heuristic identified a link to a known malicious redirector at 'https://ttraff.ru/wix?keyword=vesta+v2fx+manual', indicating a phishing or malware distribution attempt. The document body, though heavily obfuscated, contains this URL, reinforcing its malicious intent.

Machine Learning

Nyx PDF Classifier malicious score 1.0000

Heuristics 4

PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK

PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM

Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL

The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://ttraff.ru/wix?keyword=vesta+v2fx+manual
- http://vestacp.c
- http://www.ascendercorp.com/
- http://www.ascendercorp.com/typedesigners.html
- https://cdn.shopify.com/s/files/1/0432/1817/4120/files/adobe_reader_dc_vs_11.pdf
- https://cdn.shopify.com/s/files/1/0452/3737/1040/files/17682708078.pdf
- https://cdn.shopify.com/s/files/1/0434/4751/7349/files/jorge_cruise_belly_fat_cure.pdf
- https://cdn.shopify.com/s/files/1/0440/1758/2230/files/xezodurekegafe.pdf
- https://cdn.shopify.com/s/files/1/0432/6686/7362/files/makejopudut.pdf
- https://static.usrfiles.com/ugd/585b1d_ec2e41e5557d4d5abc1d96c20bb0a786.pdf
- https://static.usrfiles.com/ugd/3b7182_1366ddc08a444b52a200f942e144c766.pdf
- https://static.usrfiles.com/ugd/4f270c_2518aef815c84ddbb0f5e84a90da2d41.pdf
- https://static.usrfiles.com/ugd/a91264_71a1161f2b304677af56c7058c4d7402.pdf
- https://cdn.shopify.com/s/files/1/0459/6278/9024/files/54163432843.pdf
- https://cdn.shopify.com/s/files/1/0433/0687/7080/files/gotisirifiwixi.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/
- http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off000052ac.bin` `1da7b443182a2852753bbcd93acf8e61722d9c313d3bf2d0464a7f814accb5d2`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x52AC	5044 bytes
`font_01_sfnt_off000063d6.bin` `c80e2e17c076dea198e39c1d3f35fa6cb5184fa4afc2285f6c4f40898532c00f`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x63D6	10308 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.