PDF malware analysis — malicious · 25a5a3e80ca1fd21

MALICIOUS

PDF

41.1 KB Created: 2020-08-08 14:01:40 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)

MD5: 04ab2ee7e3081093552c69ffddccea99 SHA-1: 7cffd1efb7f429ee60afccc7d8ff96b538ecfd97 SHA-256: 25a5a3e80ca1fd216e35ec6ced37f76c05abd59edfd0f81eff13bd66b8f8dd4a

150 Risk Score

Malware Insights

MITRE ATT&CK

T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF was flagged by multiple critical heuristics for containing malicious redirector links and a large number of external PDF links, indicating a link farm. The primary malicious URL identified is https://ttraff.ru/pify?keyword=%25C3%25A1lcoois+e+fenois+pdf. While no scripts were extracted, the sheer volume of embedded links suggests a campaign to drive traffic to potentially malicious sites.

Machine Learning

Nyx PDF Classifier malicious score 1.0000

Heuristics 3

PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK

PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM

Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://ttraff.ru/pify?keyword=%25C3%25A1lcoois+e+fenois+pdf
- http://files.middlesexmotorcycle.com/uploads/1/3/0/7/130738993/669168.pdf
- http://files.catgiles.co.uk/uploads/1/3/0/9/130969465/7447235.pdf
- http://files.mattkempracing.com/uploads/1/3/0/7/130775400/d6f4f8a.pdf
- http://files.connectingmemphis.com/uploads/1/3/1/4/131453146/vuvonirawedusogexixi.pdf
- http://sopiwusi.18crossroad.net/uploads/1/3/0/7/130775320/ce29aa2ad70.pdf
- https://cdn.shopify.com/s/files/1/0436/2344/8736/files/jubuworiniwekenuz.pdf
- https://cdn.shopify.com/s/files/1/0429/8794/6133/files/24556767833.pdf
- https://cdn.shopify.com/s/files/1/0431/4310/2618/files/92589377969.pdf
- https://cdn.shopify.com/s/files/1/0427/3196/2535/files/bootstrap_4_classes.pdf
- https://cdn.shopify.com/s/files/1/0432/2823/3883/files/crin_o_medical_term.pdf
- https://cdn.shopify.com/s/files/1/0433/5930/5880/files/regional_indicator_generator.pdf
- https://cdn.shopify.com/s/files/1/0432/0316/6370/files/zuragikolet.pdf
- https://cdn.shopify.com/s/files/1/0437/6874/2040/files/mick_goodrick.pdf
- https://cdn.shopify.com/s/files/1/0435/1649/3976/files/lanupe.pdf
- https://cdn.shopify.com/s/files/1/0430/3428/0090/files/bozakumekojig.pdf
- https://cdn.shopify.com/s/files/1/0433/1313/5774/files/10947100812.pdf
- https://cdn.shopify.com/s/files/1/0430/5390/8117/files/teguje.pdf
- https://cdn.shopify.com/s/files/1/0431/0410/8711/files/mcdonald_s_full_menu.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off0000634f.bin` `f649f565832378080607e4897f4de6e5713dc50746cc6677998124c8183eb229`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x634F	4856 bytes
`font_01_sfnt_off000073f1.bin` `989a7e882ca6d9e7c170f3e72765501d742663d66f90e03b8023b7185e3fea90`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x73F1	10156 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.