PDF malware analysis — malicious · 5b0cf12f310ff091

MALICIOUS

PDF

47.2 KB Created: 2020-08-22 08:15:45 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)

MD5: ab13319fb41180cbd1020cf5da9e4d6a SHA-1: 39b851b3db59bf16564388ab410a02170af15525 SHA-256: 5b0cf12f310ff091aaa355f15cfcdbef3df0eec64041c50ad99aa2947252b45e

154 Risk Score

Malware Insights

MITRE ATT&CK

T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF contains a high number of embedded links, many pointing to Shopify-hosted PDFs, which is indicative of a link farm or SEO poisoning attempt. One critical heuristic identified a link to a known malicious redirector infrastructure at 'ttraff.com'. The document body also contains the same malicious URL and a reference to 'summoners war runes guide', suggesting a lure to a potentially malicious or phishing site.

Machine Learning

Nyx PDF Classifier malicious score 1.0000

Heuristics 4

PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK

PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM

Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL

The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://ttraff.com/pify?keyword=summoners+war+runes+guide
- http://ramuf.greenridgewoodnj.org/uploads/1/3/1/4/131406437/6394797.pdf
- http://www.ascendercorp.com/
- http://www.ascendercorp.com/typedesigners.html
- https://cdn.shopify.com/s/files/1/0428/9835/8432/files/meragavafeduxilaxopuxaw.pdf
- https://cdn.shopify.com/s/files/1/0435/3844/8548/files/xasisefupev.pdf
- https://cdn.shopify.com/s/files/1/0428/5975/7727/files/the_awakening_by_kate_chopin_download.pdf
- https://cdn.shopify.com/s/files/1/0436/4235/5865/files/dusolumevikubigeduga.pdf
- https://cdn.shopify.com/s/files/1/0429/0212/6755/files/66568506945.pdf
- https://cdn.shopify.com/s/files/1/0431/7108/6485/files/51719667176.pdf
- https://cdn.shopify.com/s/files/1/0437/2715/9445/files/budgeting_definition.pdf
- https://cdn.shopify.com/s/files/1/0434/1052/2277/files/79826539970.pdf
- https://cdn.shopify.com/s/files/1/0433/8283/3308/files/message_manager_app_android.pdf
- https://cdn.shopify.com/s/files/1/0464/7446/1352/files/82842759936.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/
- http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off00007b43.bin` `e873277d13c379a757a1ee0ad5411f1ee5316615b3208304e9a50fc154d4cf68`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x7B43	5308 bytes
`font_01_sfnt_off00008d38.bin` `509f43afcee81cd195aa2bf9be2be23a2857cd47ac4dc14b5360d83e664845ac`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x8D38	10360 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.