PDF malware analysis — malicious · 565db542f6f4e4d6

MALICIOUS

PDF

49.2 KB Created: 2020-09-02 00:21:35 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)

MD5: f1723bfbf984871f9424c85798802da7 SHA-1: d11c0b6eb2d480fee03d012616fc15ef53183bba SHA-256: 565db542f6f4e4d639070d4b92df8872aecf9a8cb26dfbf8ed0e647543962da0

152 Risk Score

Malware Insights

MITRE ATT&CK

T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF file contains a significant number of embedded links, identified as a link farm. One of these links, 'https://ttraff.ru/wix?keyword=aviary+photo+editor++for+pc', points to known malicious redirector infrastructure. The presence of a link farm and a malicious redirector suggests the document is designed to lure users to malicious sites. The ML classifier also strongly indicated maliciousness.

Machine Learning

Nyx PDF Classifier malicious score 1.0000

Heuristics 4

PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK

PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM

Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL

The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://ttraff.ru/wix?keyword=aviary+photo+editor++for+pc
- https://cdn.shopify.com/s/files/1/0432/8649/5400/files/tuwusanubifofakatag.pdf
- https://cdn.shopify.com/s/files/1/0429/6015/8873/files/kaleshwaram_project.pdf
- https://cdn.shopify.com/s/files/1/0434/7333/8533/files/fexakewafapuv.pdf
- https://cdn.shopify.com/s/files/1/0435/9605/4690/files/8345267229.pdf
- https://static.usrfiles.com/ugd/b8c837_e60d38d172564e7582d1c6a0d27d4e02.pdf
- https://static.usrfiles.com/ugd/1b8612_7fac69e93e7242dc94dbdc8d32978a28.pdf
- https://static.usrfiles.com/ugd/dc98cc_c18482cf971a41aeaf747e269c06d9bf.pdf
- https://static.usrfiles.com/ugd/4f92c1_4fca853370ba4de1b2d809fb86243472.pdf
- https://static.usrfiles.com/ugd/83d902_13b0204f384e4c03b2fd7cb654db5cf9.pdf
- https://static.usrfiles.com/ugd/4e6dd5_f7f69081cc534864be65f354f89de35a.pdf
- https://static.usrfiles.com/ugd/7c30af_2f7a9ad6446a445fb65e5ae482e43c52.pdf
- https://cdn.shopify.com/s/files/1/0435/3500/7893/files/49586349856.pdf
- https://cdn.shopify.com/s/files/1/0432/9160/7190/files/17388326649.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off00008297.bin` `519b1e4f24665680b4d53d90d627193ee38aa810eb3cf660bd181d8529e0af25`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x8297	5184 bytes
`font_01_sfnt_off00009449.bin` `f1eb39c8de131db444a55be9e6b019bd2fc07d6acaba3c182677cfe8df32ca86`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x9449	10604 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.