PDF malware analysis — malicious · 518b7e1f4a29f6a2

MALICIOUS

PDF

40.4 KB Created: 2020-08-31 10:16:06 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)

MD5: b49300f6005db34684f6266220827dfa SHA-1: 5dfa35c234baf81bb427c35dd5d54e8b6f531389 SHA-256: 518b7e1f4a29f6a2567de4f461b241f4e20ce4a605e7e6bbe6b4ebe3e49449ab

150 Risk Score

Malware Insights

MITRE ATT&CK

T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF file contains a critical heuristic firing for a malicious redirector link pointing to 'https://ttraff.ru/wix?keyword=open.+swf+in+chrome'. Additionally, it exhibits characteristics of a PDF link farm, with numerous links to external PDFs, many hosted on 'static.usrfiles.com'. The document body, though heavily obfuscated, contains references to opening SWF files in Chrome, suggesting a social engineering lure. The ML classifier also strongly flagged this PDF as malicious.

Machine Learning

Nyx PDF Classifier malicious score 1.0000

Heuristics 3

PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK

PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM

Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://ttraff.ru/wix?keyword=open.+swf+in+chrome
- https://static.usrfiles.com/ugd/eaf48f_9390385813f248b8a7cd567696d2ddd9.pdf
- https://static.usrfiles.com/ugd/b8c837_5b43aa52fe5544a390e22e3d4a170f3b.pdf
- https://static.usrfiles.com/ugd/b8c837_6e7907bb8ad34464a06d44978dde9dd4.pdf
- https://static.usrfiles.com/ugd/b8c837_73e93f210d484852a2ad6353ddc83a3f.pdf
- https://static.usrfiles.com/ugd/1b8612_dc2784d8b04040289181eaacab78620c.pdf
- https://static.usrfiles.com/ugd/b47706_19d502c0b0ec4a2595e91bcd61dca408.pdf
- https://static.usrfiles.com/ugd/b8c837_fa32e7286ed54b8caacc51df05390803.pdf
- https://static.usrfiles.com/ugd/ca32a8_7c06ca39724c41bf9566340797d4a232.pdf
- https://static.usrfiles.com/ugd/b8c837_719d18d9966241149a2088d927488284.pdf
- https://static.usrfiles.com/ugd/db1da1_79eaac6d877f4a08bb836da9ca82d1fa.pdf
- https://static.usrfiles.com/ugd/38bf1f_b64ca5ce6ca54f599aaf714285b63271.pdf
- https://static.usrfiles.com/ugd/b8c837_916e44f6fad5480fa1539ac33117e80c.pdf
- https://static.usrfiles.com/ugd/c63dba_b18191c164cb4c11b744d525bc6f6a41.pdf
- https://static.usrfiles.com/ugd/b8c837_71122891b4c64d9488dcbdef0f8eca2c.pdf
- https://cdn.shopify.com/s/files/1/0440/2518/4421/files/bokeniji.pdf
- https://cdn.shopify.com/s/files/1/0432/6519/6197/files/senizatoneb.pdf
- https://cdn.shopify.com/s/files/1/0431/5152/4008/files/95271520038.pdf
- https://cdn.shopify.com/s/files/1/0438/3372/0992/files/casio_f91w-_1_manual.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off00005fdf.bin` `8edb45c25e25b2b8306f24e60ffca600cc9a3d5436ede89bcb103b949db340d4`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x5FDF	5164 bytes
`font_01_sfnt_off0000715c.bin` `70a2ba97d569455f291beb7d2e47076c92bfe7c7ae638ec2b58707e07e1ed247`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x715C	10464 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.