PDF malware analysis — malicious · 30435d69ce364ccc

MALICIOUS

PDF

44.7 KB Created: 2020-08-20 23:18:21 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)

MD5: b1c400be87ae64577cb57b4b338229e1 SHA-1: 57f7043d664b5c23756a014138493ceab04ee220 SHA-256: 30435d69ce364ccc5ac391943bc976db9f4b95fa1e068de1091132873caf66d0

150 Risk Score

Malware Insights

MITRE ATT&CK

T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF contains a link to a known malicious redirector, ttraff.ru, disguised as a 'becil registration form'. The document body and heuristics confirm the presence of numerous embedded links, many pointing to Shopify domains, likely part of a link farm to obscure the malicious destination. The ML classifier strongly indicates maliciousness. The primary attack vector appears to be social engineering via a deceptive form lure, leading to the malicious redirector.

Machine Learning

Nyx PDF Classifier malicious score 1.0000

Heuristics 3

PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK

PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM

Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://ttraff.ru/pify?keyword=becil+registration+form+2017
- http://buwaxun.liquidnitrogenphoto.com/uploads/1/3/2/7/132712336/3e6f135d76c7cd.pdf
- http://rasup.wisconsinwaterlaw.com/uploads/1/3/1/4/131409236/lijugamukuluduwaw.pdf
- http://files.broeifionydd.com/uploads/1/3/2/6/132682230/tidazadipowes.pdf
- https://cdn.shopify.com/s/files/1/0428/9835/8432/files/kuvesagapixunijibofalase.pdf
- https://cdn.shopify.com/s/files/1/0430/5901/9933/files/61949938759.pdf
- https://cdn.shopify.com/s/files/1/0429/3971/1655/files/budawamezo.pdf
- https://cdn.shopify.com/s/files/1/0436/6116/4697/files/23152486447.pdf
- https://cdn.shopify.com/s/files/1/0434/9414/6200/files/27835955708.pdf
- https://cdn.shopify.com/s/files/1/0428/1001/5910/files/73204202987.pdf
- https://cdn.shopify.com/s/files/1/0435/5548/7905/files/30769772859.pdf
- https://cdn.shopify.com/s/files/1/0431/7849/2062/files/4061914505.pdf
- https://cdn.shopify.com/s/files/1/0435/3599/0936/files/mibutigawotugo.pdf
- https://cdn.shopify.com/s/files/1/0435/5706/0769/files/33224359555.pdf
- https://cdn.shopify.com/s/files/1/0434/1055/5041/files/noginajuno.pdf
- https://cdn.shopify.com/s/files/1/0448/3697/8850/files/80403844896.pdf
- https://cdn.shopify.com/s/files/1/0428/5906/9599/files/40797091263.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 3

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off000061cf.bin` `706b5c4ffa1afcf853658882b0980f8f38ea26f87712800ee54588cd20ce5279`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x61CF	5444 bytes
`font_01_sfnt_off00007438.bin` `f653b4f7dd9eeb0b2a62c16382a5b29d337f3d5293710c47549e69b6123bca17`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x7438	10516 bytes
`font_02_sfnt_off000097fd.bin` `4fcfa7c68d76e23b667942a3ac892d2d5d88346478daafc61479ad4df4af3dd3`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x97FD	4324 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.