PDF malware analysis — malicious · 227483c02cfb3d58

MALICIOUS

PDF

45.1 KB Created: 2020-08-18 21:42:33 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)

MD5: aa510df2ba2b111d94326dcd813afcf3 SHA-1: a334e8303ef8d1ece9a03dcf2b9399fb10e543fb SHA-256: 227483c02cfb3d58f56dcb38bc59cadd16d2f5614c5c1a7c1d9858b544140922

150 Risk Score

Malware Insights

MITRE ATT&CK

T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF contains a link farm and a critical heuristic firing for a malicious redirector. The primary malicious URL is https://ttraff.cc/pify?keyword=hallelujah+guitar+chords+pdf, which is likely used to redirect the user to a malicious site. The document body contains garbled text but includes the same malicious URL, suggesting an attempt to disguise the malicious intent with a seemingly innocent topic. No scripts were extracted, but the PDF structure and embedded links strongly indicate a phishing or redirection attack.

Machine Learning

Nyx PDF Classifier malicious score 1.0000

Heuristics 3

PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK

PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM

Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://ttraff.cc/pify?keyword=hallelujah+guitar+chords+pdf
- http://piziruli.sethallenyoungphd.com/uploads/1/3/2/8/132814718/9912070.pdf
- http://regodewop.cypruskennelclub.org/uploads/1/3/1/3/131384600/guzopovip.pdf
- http://files.healthybeauty365.com/uploads/1/3/0/7/130776745/ruloj_tiwilamunuv_nozixeri.pdf
- https://cdn.shopify.com/s/files/1/0437/1978/6645/files/classification_of_antibiotics_according_to_mode_of_action.pdf
- https://cdn.shopify.com/s/files/1/0438/2805/2130/files/sewepurame.pdf
- https://cdn.shopify.com/s/files/1/0435/6230/3637/files/bteb_ssc_exam_routine_2020.pdf
- https://cdn.shopify.com/s/files/1/0428/6332/9446/files/3647933558.pdf
- https://cdn.shopify.com/s/files/1/0429/1565/9942/files/upbte_syllabus_3rd_semester_2020.pdf
- https://cdn.shopify.com/s/files/1/0428/9835/8432/files/18410569865.pdf
- https://cdn.shopify.com/s/files/1/0435/2340/8023/files/75296167364.pdf
- https://cdn.shopify.com/s/files/1/0432/1250/5252/files/98480080511.pdf
- https://cdn.shopify.com/s/files/1/0434/6226/2936/files/xarejow.pdf
- https://cdn.shopify.com/s/files/1/0431/3939/9842/files/nesufajedew.pdf
- https://cdn.shopify.com/s/files/1/0431/5299/8556/files/75114587993.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 3

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off00005b2c.bin` `4fa4a60cbf4cb2e1dd6249db4e6210615cfb829738a6507cd856eb66df83a5b7`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x5B2C	5228 bytes
`font_01_sfnt_off00006d0a.bin` `17e919acb7bc8fd54ae5071350f3be43b7e83d6085159ce5419bf17079f2c8dc`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x6D0A	14156 bytes
`font_02_sfnt_off00009969.bin` `1158d95dac44631f497756703988ba3645251422e7ff0015d3fca430225e7c3e`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x9969	4324 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.