PDF malware analysis — malicious · 4aa610603137b788

MALICIOUS

PDF

49.1 KB Created: 2020-08-21 12:57:41 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)

MD5: a0307cb08a9d32a84107ea9c1c1cafc1 SHA-1: e95dbe070118a6eb1ed2fe3d0fa3eb053b5c8d6e SHA-256: 4aa610603137b788dd089b1e2187470e349b43fa79d59c5b2bc6bac499a4e864

150 Risk Score

Malware Insights

MITRE ATT&CK

T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF file contains a heuristic firing for a malicious redirector link, specifically pointing to 'https://ttraff.ru/pify?keyword=iso+8601+date+format+bash'. This URL is presented within the document body, suggesting a social engineering attempt to trick the user into clicking it. The presence of a large number of external PDF links, many hosted on shopify.com, indicates a link farm SEO tactic, likely to obscure the malicious redirector. The ML classifier also strongly flagged this PDF as malicious.

Machine Learning

Nyx PDF Classifier malicious score 1.0000

Heuristics 3

PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK

PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM

Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://ttraff.ru/pify?keyword=iso+8601+date+format+bash
- http://files.amplifygymnastics.com/uploads/1/3/2/6/132681992/4953733.pdf
- http://ketoj.annshafer.com/uploads/1/3/0/9/130969596/pibipol_busizorene.pdf
- https://cdn.shopify.com/s/files/1/0432/5549/6866/files/64580971320.pdf
- https://cdn.shopify.com/s/files/1/0427/9903/8631/files/vatixut.pdf
- https://cdn.shopify.com/s/files/1/0433/6189/4565/files/wadibez.pdf
- https://cdn.shopify.com/s/files/1/0430/7596/0985/files/soruvadeb.pdf
- https://cdn.shopify.com/s/files/1/0433/1690/4104/files/10415738749.pdf
- https://cdn.shopify.com/s/files/1/0431/3353/4357/files/1897985667.pdf
- https://cdn.shopify.com/s/files/1/0437/1709/9675/files/xodusedividufozatuwez.pdf
- https://cdn.shopify.com/s/files/1/0431/3881/0010/files/8534740473.pdf
- https://cdn.shopify.com/s/files/1/0427/7898/4614/files/dutolaweza.pdf
- https://cdn.shopify.com/s/files/1/0429/6779/3820/files/how_to_read_candlestick_chart_patterns.pdf
- https://cdn.shopify.com/s/files/1/0430/1645/4305/files/12353661532.pdf
- https://cdn.shopify.com/s/files/1/0433/3669/5959/files/legopovegexotaginuj.pdf
- https://cdn.shopify.com/s/files/1/0434/5679/0678/files/71443559806.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 3

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off000066f1.bin` `2611473bd50e973c43588b89c3f129e5ecddff615ca026979899221df857b050`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x66F1	5736 bytes
`font_01_sfnt_off00007a47.bin` `ec09113da682eb46a21c4de444ad43fd72f2c706d5d85eb77a46784e8be9ba63`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x7A47	11496 bytes
`font_02_sfnt_off0000a1b9.bin` `45895599267ce770b7944221138faed73a5971737ccffdd72ef86c56b57c4533`	pdf-font-stream	PDF embedded font (sfnt) at offset 0xA1B9	16244 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.