PDF malware analysis — malicious · 79e85931877ca43f

MALICIOUS

PDF

41.0 KB Created: 2020-09-01 15:39:55 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)

MD5: cc25cb47a418fb1872af2d8983fd4a06 SHA-1: 4650d15a4d2c325f8c077e83d024a954ccf3f76d SHA-256: 79e85931877ca43fbd69e68de64d49fa7e706b7c2f977a60bb18c7e5345665ca

152 Risk Score

Malware Insights

MITRE ATT&CK

T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF file contains embedded links, one of which points to a known malicious redirector at 'ttraff.ru'. This heuristic, combined with the ML classifier's high confidence, indicates the document is designed to lure users to malicious content. The presence of a large number of external PDF links, many hosted on Shopify, suggests a link farm or SEO poisoning attempt to distribute malicious content.

Machine Learning

Nyx PDF Classifier malicious score 1.0000

Heuristics 4

PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK

PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM

Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL

The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://ttraff.ru/wix?keyword=2011+jeep+liberty+reviews+consumer+reports
- https://cdn.shopify.com/s/files/1/0430/4188/2265/files/rilosukejew.pdf
- https://cdn.shopify.com/s/files/1/0428/1221/1359/files/bakowivijidofi.pdf
- https://cdn.shopify.com/s/files/1/0431/8131/0114/files/begepo.pdf
- https://cdn.shopify.com/s/files/1/0448/4648/1570/files/linux_run_simplehttpserver_as_service.pdf
- https://cdn.shopify.com/s/files/1/0428/6355/8815/files/biwevevavixa.pdf
- https://cdn.shopify.com/s/files/1/0431/7403/5607/files/lujutaromororikafagofe.pdf
- https://cdn.shopify.com/s/files/1/0435/6279/5171/files/mbta_subway_map.pdf
- https://cdn.shopify.com/s/files/1/0432/6332/8411/files/murigajewubiji.pdf
- https://cdn.shopify.com/s/files/1/0435/4772/1892/files/jomufuzatiwodet.pdf
- https://cdn.shopify.com/s/files/1/0435/6082/9087/files/bassaleg_estyn_report.pdf
- https://cdn.shopify.com/s/files/1/0427/6345/2583/files/chok_chok_holographic_sheet_mask.pdf
- https://cdn.shopify.com/s/files/1/0436/8944/3483/files/akanamali_remix_music.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off00006066.bin` `5c1409fb5d94ba368d96daa8e4f908e6f70c36201259659d52c5f5a9f1db6dbd`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x6066	5568 bytes
`font_01_sfnt_off00007368.bin` `feae73e47003a6ef29831fc8df8f3451c915e4fe8d69dc99d0492fa9d96ffd84`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x7368	10540 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.