PDF malware analysis — malicious · 30671198fee56cfe

MALICIOUS

PDF

43.7 KB Created: 2020-08-06 14:21:42 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)

MD5: a702e4e9ee77d36e17b1d155573736a8 SHA-1: 10be332d25044478db9024fc2284334a834a9847 SHA-256: 30671198fee56cfe8917af71c03134cb8d66abe379df8d30fcfa05bdd9be528e

150 Risk Score

Malware Insights

MITRE ATT&CK

T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF file was flagged by multiple critical heuristics for containing malicious redirector links and a large number of external PDF links, suggesting a link farm. The primary malicious URL identified is https://ttraff.cc/pify?keyword=orari+cavourese+pdf, which likely serves as a gateway to further malicious content. The document body contains obfuscated text and embedded URLs, reinforcing the malicious intent.

Machine Learning

Nyx PDF Classifier malicious score 1.0000

Heuristics 3

PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK

PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM

Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://ttraff.cc/pify?keyword=orari+cavourese+pdf
- http://files.elpasohousebuying.com/uploads/1/3/2/6/132682802/zajozogi.pdf
- http://files.enrealexperttravel.com/uploads/1/3/0/8/130813489/giwivuraw.pdf
- http://files.dmparanormal.com/uploads/1/3/0/7/130775357/zodivofilazaxe_xubumurodab_wopuvog.pdf
- http://files.loveandmercyfdc.com/uploads/1/3/1/8/131857071/tazowirujuvimi.pdf
- http://xuvobitof.truthinfoundations.com/uploads/1/3/0/8/130814168/3089749.pdf
- https://cdn.shopify.com/s/files/1/0429/8863/4263/files/43868434541.pdf
- https://cdn.shopify.com/s/files/1/0440/5706/7685/files/fikuzazirot.pdf
- https://cdn.shopify.com/s/files/1/0433/6143/5813/files/sebejixamiruv.pdf
- https://cdn.shopify.com/s/files/1/0432/7420/7387/files/1564459192.pdf
- https://cdn.shopify.com/s/files/1/0437/6769/3474/files/53231984758.pdf
- https://cdn.shopify.com/s/files/1/0437/7536/1178/files/xajujoxopeviwuwabarilase.pdf
- https://cdn.shopify.com/s/files/1/0430/8343/2096/files/33014415704.pdf
- https://cdn.shopify.com/s/files/1/0433/3741/6869/files/42356084672.pdf
- https://cdn.shopify.com/s/files/1/0435/4120/1064/files/19992763719.pdf
- https://cdn.shopify.com/s/files/1/0437/5835/4584/files/aaranya_kaandam_script.pdf
- https://cdn.shopify.com/s/files/1/0434/7812/2649/files/mulewewuzovizot.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 3

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off00005f28.bin` `3016277145264f0cd4df13937fba6924054ed85565063ad7163232de5152c25f`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x5F28	4900 bytes
`font_01_sfnt_off00006fe8.bin` `8890730e13ad38f2915ea155199d20471221a168c8c30c74efb6efdc0f01f9cb`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x6FE8	11068 bytes
`font_02_sfnt_off000093c8.bin` `9f355172d696dda274cac500966718f112ce76951f19577ac4888987ea6471b2`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x93C8	4324 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.