PDF malware analysis — malicious · 5b22973f1793d8c9

MALICIOUS

PDF

40.7 KB Created: 2020-09-18 21:15:20 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)

MD5: e02f9a66afeb20df071ce7abeedf1407 SHA-1: 4e76a2c1bc5b6dd5b43f1fed990630dc0af3d6f1 SHA-256: 5b22973f1793d8c96cc53efa2458abc5fd3095a305c162692fb4789ef7835854

154 Risk Score

Malware Insights

MITRE ATT&CK

T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF contains numerous embedded links, with one identified as a malicious redirector. The heuristic 'PDF_SEO_LINK_FARM' indicates a large number of external links, suggesting an attempt to distribute malicious content or engage in SEO manipulation for malicious purposes. The presence of a link to 'ttraff.club' further supports the malicious intent.

Machine Learning

Nyx PDF Classifier malicious score 1.0000

Heuristics 4

PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK

PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM

Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL

The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://ttraff.club/wix?keyword=if+i+stay+2+pdf+download
- http://www.ascendercorp.com/
- http://www.ascendercorp.com/typedesigners.html
- https://ec97f344-d4f5-4e6f-a87c-ed0a430af27a.filesusr.com/ugd/9117e0_0a19fff490e34a23847b4e6b87a7fd9d.pdf?index=true
- https://951fce0d-2521-414b-9900-73aadb2cecc8.filesusr.com/ugd/227d0f_ec72044a73e54a5fb0f384395f3202b7.pdf?index=true
- https://bad65e69-9fc7-4d0b-bd4b-0ed861c4d742.filesusr.com/ugd/39cb9d_939e189117af4a1187301bbc42a42141.pdf?index=true
- https://cdn.shopify.com/s/files/1/0438/5426/6533/files/fofiduwopa.pdf
- https://cdn.shopify.com/s/files/1/0429/7755/8681/files/pefutefija.pdf
- https://b189c561-97f5-4ab7-adfb-2cf6f6b2ff70.filesusr.com/ugd/1849a1_75bf781ab2fb4b138d6eb84385563696.pdf?index=true
- https://7c017e54-c8cf-426a-8037-d376aef6e356.filesusr.com/ugd/5360f8_8d602581f0ea402b9edc1e84b4bc8740.pdf?index=true
- https://4de3c1dc-07ac-48f8-8e04-4afbe62a068b.filesusr.com/ugd/9ff9b8_07a0bd841ccf4dceb38e1b6b81495bda.pdf?index=true
- https://6b742878-7e5b-4fb2-94a7-e9183ddc6040.filesusr.com/ugd/a32c20_db3d821b153e4a5fa8c9ada1cf948755.pdf?index=true
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/
- http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off0000613f.bin` `093da61344bb060759d78f4505b60f56a862dab49c187475df82681681d61ccc`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x613F	5200 bytes
`font_01_sfnt_off00007329.bin` `eff375f1f65ecca9d44b2851deef45d5d66ba3438ba7768f89df084352dfef1b`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x7329	10412 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.