PDF malware analysis — malicious · 344c6f8bc2cef07e

MALICIOUS

PDF

40.5 KB Created: 2020-08-29 17:07:54 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)

MD5: cdaa2e42dc25b889e19e504329d9f81c SHA-1: 20c76c7e2eb0bb810f7089f4a51d062a9b6d4e30 SHA-256: 344c6f8bc2cef07e0e9b02a5daa3c399cb9bd6ecb54644ffdd3d26681f61faa2

154 Risk Score

Malware Insights

MITRE ATT&CK

T1566.001 Spearphishing Attachment

The PDF contains a link to a known malicious redirector, ttraff.ru, disguised as a warehouse modernization guide. This suggests a phishing or scam attempt, likely delivered as a spearphishing attachment. The ML classifier also strongly indicated maliciousness.

Machine Learning

Nyx PDF Classifier malicious score 1.0000

Heuristics 4

PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK

PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM

Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL

The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://ttraff.ru/wix?keyword=warehouse+modernization+and+layout+planning+guide
- http://www.ascendercorp.com/
- http://www.ascendercorp.com/typedesigners.html
- https://static.usrfiles.com/ugd/b8c837_423da957b24945749e3364e832b5d02a.pdf
- https://static.usrfiles.com/ugd/b8c837_0d31316827324b5f8b5c46948da3b33c.pdf
- https://static.usrfiles.com/ugd/b65acf_9f0fb1b1314e46acac6be91781fd906a.pdf
- https://static.usrfiles.com/ugd/b8c837_0a4efbfdb90b458abc7854d09df9785c.pdf
- https://static.usrfiles.com/ugd/b8c837_c2385d517cd24c5f8a47f9ca32f2eb64.pdf
- https://static.usrfiles.com/ugd/b8c837_315199ac5c744f329ff34f56a1552820.pdf
- https://static.usrfiles.com/ugd/95089d_cf18a68306dd4534b58a20fee0b33c32.pdf
- https://static.usrfiles.com/ugd/9cc572_c2f0c58e828c419cad5ff6b984d9988f.pdf
- https://static.usrfiles.com/ugd/b8c837_107ea472e23142c1ade4d378904ae83b.pdf
- https://static.usrfiles.com/ugd/913720_cf4ba3b88acd4931a47d2d9a2b2fd7ae.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/
- http://scripts.sil.org/OFL

Extracted artifacts 3

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off0000476c.bin` `ce9f4f098bbdc129d5b2ed51c06042ee63f14988caa884b245d016408f2e0dce`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x476C	7140 bytes
`font_01_sfnt_off00005f7c.bin` `f4f11f0894f96a009af04a88329b27e26456d51b399944b09c1be21287da2d0c`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x5F7C	5536 bytes
`font_02_sfnt_off0000724c.bin` `9a6536b71bf727dd4c3d1c8e79c03fae50c7fee5dd830179ba912121bd204553`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x724C	10036 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.