PDF malware analysis — malicious · 5f1f39b59ef28e95

MALICIOUS

PDF

38.5 KB Created: 2020-08-21 00:30:52 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)

MD5: b440f636026f7e91c531db1e6a98f7d1 SHA-1: 8cd8bfe0b19a6bab66c41e8a74355cde939632ac SHA-256: 5f1f39b59ef28e95f450ee4d42add757b01495849320b8c56dd674fb6bf26ea2

154 Risk Score

Malware Insights

MITRE ATT&CK

T1566.001 Spearphishing Attachment T1059.007 JavaScript

This PDF document contains a link to a known malicious redirector, 'https://ttraff.cc/pify?keyword=line+stickers++png', which is likely intended to lead the user to a malicious site. The document also features a large number of embedded links to PDF files, characteristic of a link farm designed for SEO manipulation or to obscure malicious activity. The ML classifier strongly flagged this PDF as malicious.

Machine Learning

Nyx PDF Classifier malicious score 1.0000

Heuristics 4

PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK

PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM

Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL

The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://ttraff.cc/pify?keyword=line+stickers++png
- http://files.akamitzi.com/uploads/1/3/1/8/131857270/27d178fa00ec0.pdf
- http://www.ascendercorp.com/
- http://www.ascendercorp.com/typedesigners.html
- https://cdn.shopify.com/s/files/1/0434/0151/1068/files/juropivomepagoramaxu.pdf
- https://cdn.shopify.com/s/files/1/0433/8787/9580/files/68008196247.pdf
- https://cdn.shopify.com/s/files/1/0431/5404/7138/files/41696486137.pdf
- https://cdn.shopify.com/s/files/1/0448/8675/3447/files/43401432507.pdf
- https://cdn.shopify.com/s/files/1/0431/0374/8260/files/autismo_y_sindrome_de_asperger.pdf
- https://cdn.shopify.com/s/files/1/0433/6690/8065/files/tovetok.pdf
- https://cdn.shopify.com/s/files/1/0435/7577/1304/files/83970077785.pdf
- https://cdn.shopify.com/s/files/1/0431/8412/8151/files/notodula.pdf
- https://cdn.shopify.com/s/files/1/0431/0951/5425/files/zakalozivakoje.pdf
- https://cdn.shopify.com/s/files/1/0427/9740/0223/files/delubavab.pdf
- https://cdn.shopify.com/s/files/1/0431/8311/2341/files/arabic_fonts_for_adobe_photoshop.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/
- http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off00005af6.bin` `d36daa4ecc5d035ebc6e9d90d2f21c05b16bc1d1859f97a294cba76050c71977`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x5AF6	4864 bytes
`font_01_sfnt_off00006b9e.bin` `a7f6b4a476a62b06e880a1ef79d646b3d4e082193ddb612287465bd4458c888f`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x6B9E	10076 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.