PDF malware analysis — malicious · 372858a4957dcd91

MALICIOUS

PDF

49.5 KB Created: 2020-08-09 00:18:54 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)

MD5: b5e39c7a0ae22bcccc17684d76613dab SHA-1: 50cb6bcb926706b1e6bf48051ac28e435defad7f SHA-256: 372858a4957dcd91133076ad49e482563321cc28f774e81854dbae745b68c244

150 Risk Score

Malware Insights

MITRE ATT&CK

T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF was flagged for containing malicious redirector links and a link farm, indicating a likely phishing or malware distribution attempt. The primary malicious URL identified is ttraff.ru, which is used in conjunction with a keyword that appears to be part of a SEO spam campaign. The document body contains garbled text but includes the malicious URL and a benign Shopify URL, suggesting an attempt to disguise the malicious content.

Machine Learning

Nyx PDF Classifier malicious score 1.0000

Heuristics 3

PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK

PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM

Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://ttraff.ru/pify?keyword=bricks+intensive+reading+1+pdf
- http://files.pennjournalconlaw.com/uploads/1/3/2/6/132682694/bawibixijuzawo.pdf
- http://files.eguastella.com/uploads/1/3/1/8/131871690/4656610.pdf
- http://files.franciscanyon.com/uploads/1/3/2/6/132681448/sigokuto_nofivapon_buviwufipiru_fowizemebuwod.pdf
- http://files.pennjournalconlaw.com/uploads/1/3/2/6/13268
- https://cdn.shopify.com/s/files/1/0434/5144/9496/files/61347241468.pdf
- https://cdn.shopify.com/s/files/1/0434/4774/6710/files/safowonevarusudijuzano.pdf
- https://cdn.shopify.com/s/files/1/0434/3732/6488/files/giwebatelosuxumaboje.pdf
- https://cdn.shopify.com/s/files/1/0433/7405/1493/files/kowagi.pdf
- https://cdn.shopify.com/s/files/1/0433/0687/7080/files/wabodenerevugibew.pdf
- https://cdn.shopify.com/s/files/1/0443/4070/7484/files/che_guevara_books_malayalam.pdf
- https://cdn.shopify.com/s/files/1/0432/5018/8443/files/70881948447.pdf
- https://cdn.shopify.com/s/files/1/0431/9019/0248/files/95759649208.pdf
- https://cdn.shopify.com/s/files/1/0433/0687/7080/files/wesani.pdf
- https://cdn.shopify.com/s/files/1/0429/5737/3589/files/14351655482.pdf
- https://cdn.shopify.com/s/files/1/0436/1306/1277/files/93697398755.pdf
- https://cdn.shopify.com/s/files/1/0434/4197/9553/files/60316892302.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 3

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off00006455.bin` `e06f5e72c62fc0c197baf6910a965aaf09773c7791e0788a7ea4b732bf1bea5d`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x6455	8772 bytes
`font_01_sfnt_off000080ab.bin` `4b40530b3a58f242fd3c7b7c8656ab2a73cddb9516d97586ada5296c64ddb7a0`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x80AB	5516 bytes
`font_02_sfnt_off0000939d.bin` `04c911087fe5a7dba960dc003f3f94ce551072aee9361621b790cfd73ee34a8c`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x939D	10092 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.