PDF malware analysis — malicious · 1ef440ab938d0001

MALICIOUS

PDF

262.8 KB Created: 2020-09-01 13:57:27 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)

MD5: ead8aee136bf141d5c952e2940ecc30a SHA-1: 9435de5dedf3b20de3784738b7c65cf13b6355f6 SHA-256: 1ef440ab938d00014c21fdd2a44ab736ff4c76250b5ec985c0ce6a9117c0f4ce

94 Risk Score

Malware Insights

MITRE ATT&CK

T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF contains a link to a known malicious redirector, identified by the PDF_MALICIOUS_REDIRECTOR_LINK heuristic. The ML classifier also strongly flagged this PDF as malicious. The embedded URL, 'https://ttraff.club/wix?keyword=booklet+template+photoshop', is the primary indicator of malicious intent, likely serving as a lure for further compromise.

Machine Learning

Nyx PDF Classifier malicious score 0.9997

Heuristics 3

PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK

PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL

The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://ttraff.club/wix?keyword=booklet+template+photoshop
- https://static.usrfiles.com/ugd/162fe6_47f5655e40224b20b190b814e3fc780d.pdf
- https://static.usrfiles.com/ugd/7f46b5_9d809ce814fb4f9080c35ec3d790c473.pdf
- https://static.usrfiles.com/ugd/902d29_6a53c92c29924326b0802b5f4af23a55.pdf
- https://static.usrfiles.com/ugd/856cea_6074478420eb4540afbbec92c63d69d2.pdf
- https://static.usrfiles.com/ugd/ee4a13_fef355f88f9840c0888e50f054756eb3.pdf
- https://static.usrfiles.com/ugd/493135_db6ba2280a714a52922366f7c2527f0e.pdf
- https://static.usrfiles.com/ugd/40b9e6_86dc6141a1c140f5bab0200e84a35f12.pdf
- https://static.usrfiles.com/ugd/b8c837_f5d37feffc15469badd09f3a45dd958d.pdf
- https://cdn.shopify.com/s/files/1/0434/7222/4421/files/65192279541.pdf
- https://cdn.shopify.com/s/files/1/0435/1688/7192/files/active_and_passive_voice_grade_6.pdf
- https://cdn.shopify.com/s/files/1/0431/0263/4148/files/zurudumakamumipemo.pdf
- https://cdn.shopify.com/s/files/1/0437/7093/7495/files/93582557982.pdf
- https://cdn.shopify.com/s/files/1/0434/5295/6838/files/nakuzefepituzidofijinebog.pdf
- https://cdn.shopify.com/s/files/1/0431/7118/4794/files/jebasupasijimirubovi.pdf
- https://cdn.shopify.com/s/files/1/0437/8905/8206/files/dead_rising_2_trainer_v1.0.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 3

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off0003b1bc.bin` `8c6ae2dd525cb7e30c6a22f3c38fa46d249c764124a58b9ae6c29a029102f5bd`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x3B1BC	5076 bytes
`font_01_sfnt_off0003c2d8.bin` `8b853d8bfc11cc380c2209a5f6ab79141bd847b70b7a75502fe2301a986cfa9e`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x3C2D8	17284 bytes
`font_02_sfnt_off0003f835.bin` `532315dfdc59b350d447ad91845dd8cc72a836e684f536ab9a4305dc5b53fb8e`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x3F835	16204 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.