PDF malware analysis — malicious · 37809a97e499e630

MALICIOUS

PDF

48.7 KB Created: 2020-08-02 21:50:53 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)

MD5: 99196fbc8c45a6a35e77c4a6916644b4 SHA-1: 6da273cc33e7c7433720b1153a5d29c75c5b0311 SHA-256: 37809a97e499e6304fe022e2c48ab28bd16a895f734dddc205701bbea15f4ca7

150 Risk Score

Malware Insights

MITRE ATT&CK

T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF contains numerous links designed to appear as legitimate downloads, such as service manuals, but redirects to malicious infrastructure. The heuristic PDF_MALICIOUS_REDIRECTOR_LINK specifically identifies a link to ttraff.cc, a known malicious redirector. The PDF_SEO_LINK_FARM heuristic indicates a large number of external links, many hosted on Shopify, likely to manipulate search engine results and lure victims. The ML_NYX_PDF_MALICIOUS score further supports the malicious nature of the document.

Machine Learning

Nyx PDF Classifier malicious score 1.0000

Heuristics 3

PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK

PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM

Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://ttraff.cc/pify?keyword=dodge+ram+service+manual+free+download
- http://files.centrepointecincinnati.com/uploads/1/3/1/4/131406413/e08b8.pdf
- http://files.gracefay.org/uploads/1/3/0/7/130775071/dabaruxuwos_pugej_tenurenitebe.pdf
- http://files.betsyeliot.com/uploads/1/3/0/7/130775934/riwafip.pdf
- http://files.zmagence.com/uploads/1/3/2/6/132695454/c3dfbc7fca2.pdf
- https://cdn.shopify.com/s/files/1/0427/6181/4172/files/9943121721.pdf
- https://cdn.shopify.com/s/files/1/0432/8646/2620/files/zitimafiwezelekajes.pdf
- https://cdn.shopify.com/s/files/1/0440/5955/8053/files/49332148199.pdf
- https://cdn.shopify.com/s/files/1/0437/6284/3797/files/15778362964.pdf
- https://cdn.shopify.com/s/files/1/0437/2011/4344/files/13917558307.pdf
- https://cdn.shopify.com/s/files/1/0430/6203/4589/files/zoo_tycoon_2_complete_collection.pdf
- https://cdn.shopify.com/s/files/1/0429/8863/4263/files/nexezodegolovemegafogidip.pdf
- https://cdn.shopify.com/s/files/1/0428/7270/1095/files/78457588684.pdf
- https://cdn.shopify.com/s/files/1/0428/9835/8432/files/44603331863.pdf
- https://cdn.shopify.com/s/files/1/0435/5820/7651/files/hardest_hangman_words.pdf
- https://cdn.shopify.com/s/files/1/0440/6280/2070/files/gopakex.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 3

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off00006b36.bin` `42777dfaf34f207ee850d481f9910c85a0faa0604ac4c5553d09d496ff542098`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x6B36	5292 bytes
`font_01_sfnt_off00007d2f.bin` `34aee7c2ff0c959641ab73bd351041b75662a56bef2e31c47e25a302e85c411e`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x7D2F	13228 bytes
`font_02_sfnt_off0000a759.bin` `b50a2106bf82917db0cd3cf88f63c5e8cc3298b343ace5cffc591b35df33d24c`	pdf-font-stream	PDF embedded font (sfnt) at offset 0xA759	4324 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.