PDF malware analysis — malicious · 5774f86e6c6850b7

MALICIOUS

PDF

45.8 KB Created: 2020-08-23 10:03:05 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)

MD5: 036732bf730f515b78a36c890d2fe976 SHA-1: c09a415a7a45aa194d7265d06887b53e3b55fe87 SHA-256: 5774f86e6c6850b7fa38823494f0c268fc02a559dd6eb2d3ab2d882ea4375204

150 Risk Score

Malware Insights

MITRE ATT&CK

T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF contains a link farm designed to direct users to malicious infrastructure, specifically identified by the PDF_MALICIOUS_REDIRECTOR_LINK heuristic. The primary malicious URL is https://ttraff.com/pify?keyword=bully+pc++in+parts, which is part of a redirector chain. The document body, though heavily obfuscated, contains references to this URL and other PDF files hosted on Shopify, likely as a lure. The ML classifier also strongly indicated maliciousness.

Machine Learning

Nyx PDF Classifier malicious score 1.0000

Heuristics 3

PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK

PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM

Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://ttraff.com/pify?keyword=bully+pc++in+parts
- http://siroji.chihimchik.com/uploads/1/3/1/4/131438096/mutupezema.pdf
- https://cdn.shopify.com/s/files/1/0440/1342/0702/files/html_to_php_mpdf.pdf
- https://cdn.shopify.com/s/files/1/0436/0005/2387/files/warhammer_total_war_bretonnia_army_guide.pdf
- https://cdn.shopify.com/s/files/1/0431/4149/6986/files/bcom_1st_year_books_2018.pdf
- https://cdn.shopify.com/s/files/1/0439/0263/2104/files/chikku_bukku_railu_vandi_song_starmusiq.pdf
- https://cdn.shopify.com/s/files/1/0436/0654/0445/files/c_programming_language_textbook.pdf
- https://cdn.shopify.com/s/files/1/0431/7564/1247/files/24900070379.pdf
- https://cdn.shopify.com/s/files/1/0438/0190/3264/files/vixekali.pdf
- https://cdn.shopify.com/s/files/1/0433/5661/8917/files/aerobus_bologna_orari.pdf
- https://cdn.shopify.com/s/files/1/0440/7109/2376/files/zelozekomepujati.pdf
- https://cdn.shopify.com/s/files/1/0429/8804/4447/files/pubg_tencent_buddy_emulator.pdf
- https://cdn.shopify.com/s/files/1/0428/5959/3894/files/1380983950.pdf
- https://cdn.shopify.com/s/files/1/0435/9448/1823/files/rational_choice_theory.pdf
- https://cdn.shopify.com/s/files/1/0431/9746/4731/files/gavekuzulatuw.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 3

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off00005fcf.bin` `8f8d08afc4ed0306c6954bb3af714c257e96614d18cae52a7d56e41600f5c75a`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x5FCF	5076 bytes
`font_01_sfnt_off00007125.bin` `0f232f83b181cba27c9b295faaf152ffd2b218cd7d5f46c3134f01ad01c35ffb`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x7125	10604 bytes
`font_02_sfnt_off00009572.bin` `cbed3132cc84b56e1cc7051b75510d583a1e2846d4dc2cd715e8ce8dba061bb5`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x9572	16136 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.