PDF malware analysis — malicious · 1ffae34edab2ee39

MALICIOUS

PDF

50.8 KB Created: 2020-08-31 04:13:26 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)

MD5: 020e2a536934f969be8fe84e871e3afb SHA-1: 42b78acad9ae864ebbdd493700d9b8012c0c5e5b SHA-256: 1ffae34edab2ee39a4c15d43d3491f24b7aa27d8d08a84c894f8e77a78bdf6c0

150 Risk Score

Malware Insights

MITRE ATT&CK

T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF file contains a large number of embedded links, with a critical heuristic firing for a PDF link farm. One of the primary links directs to 'ttraff.cc', a known malicious redirector. The document body, though heavily obfuscated, contains the same URL and references to PDF documents, suggesting a lure to external content. The ML classifier also strongly indicated maliciousness.

Machine Learning

Nyx PDF Classifier malicious score 1.0000

Heuristics 3

PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK

PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM

Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://ttraff.cc/wix?keyword=first+person+second+person+third+person+table+pdf
- https://static.usrfiles.com/ugd/b8c837_c183484d30ee48afbaf03c67dbd4b9c3.pdf
- https://static.usrfiles.com/ugd/44b221_11a4616155484785813740c129638188.pdf
- https://static.usrfiles.com/ugd/b8c837_1d29f84383674b1c9f043a0dd805f1cf.pdf
- https://static.usrfiles.com/ugd/fedf23_ec426587029e4c2397312baa5b3ea84e.pdf
- https://static.usrfiles.com/ugd/5cf23b_bc1898e9c83e4313a009d4ebe3234a67.pdf
- https://static.usrfiles.com/ugd/4d400c_aa6583af54524063802f3e4e783d8639.pdf
- https://static.usrfiles.com/ugd/b8c837_92c89f0ed4484e788e34c4f08e9f3aa5.pdf
- https://static.usrfiles.com/ugd/68ec51_be195c8b680e46aabe23140b68cee5d8.pdf
- https://static.usrfiles.com/ugd/b8c837_1669f77a8efc4cfb815a8570660e00f2.pdf
- https://static.usrfiles.com/ugd/6f58fb_6c7afdc54ba04c2d99efa9f3eaf28992.pdf
- https://static.usrfiles.com/ugd/b8c837_89dbc283b57b4d5cac7e2b0aff9cfc67.pdf
- https://static.usrfiles.com/ugd/7198c1_52c3665bed79443a9db84ee87b79feb7.pdf
- https://cdn.shopify.com/s/files/1/0431/8475/0741/files/5250337648.pdf
- https://cdn.shopify.com/s/files/1/0431/2596/4957/files/vinezatalegafirafabusos.pdf
- https://cdn.shopify.com/s/files/1/0430/7727/1706/files/9788817949.pdf
- https://cdn.shopify.com/s/files/1/0463/2448/2208/files/65258854864.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 3

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off000077be.bin` `4b2dfadbdaa825c3610af205db2accfcbcf0483f3518ef930eca0cb1b62cb09e`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x77BE	5128 bytes
`font_01_sfnt_off00008916.bin` `79d61e4534d13016810bea874173f97d0dd78882a4a7ffe9cd6e09b5c5312149`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x8916	11708 bytes
`font_02_sfnt_off0000af24.bin` `1158d95dac44631f497756703988ba3645251422e7ff0015d3fca430225e7c3e`	pdf-font-stream	PDF embedded font (sfnt) at offset 0xAF24	4324 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.