PDF malware analysis — malicious · 7f2e83535a4904a8

MALICIOUS

PDF

45.5 KB Created: 2020-08-17 07:23:02 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)

MD5: 03aa954a33a6d5b88a9e5756424d2c22 SHA-1: a0045035621382fda2342de3d93973c12c3c419e SHA-256: 7f2e83535a4904a87cc56bad9a929e38d4ea6db1d5d7c2b61ea0ce403801f3fa

150 Risk Score

Malware Insights

MITRE ATT&CK

T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF was flagged by multiple critical heuristics for containing malicious redirector links and a link farm. The primary malicious URL identified is ttraff.ru, which is known for redirecting users to malicious content. The document body, though heavily obfuscated, contains a reference to the same URL, suggesting it is the intended destination. The presence of numerous external links, many hosted on cdn.shopify.com, indicates a strategy to distribute malicious content through a large number of seemingly benign-looking documents.

Machine Learning

Nyx PDF Classifier malicious score 1.0000

Heuristics 3

PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK

PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM

Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://ttraff.ru/pify?keyword=functional+areas+of+business+pdf
- http://files.mandiecline.com/uploads/1/3/1/4/131406075/1f9d7c7e93f09.pdf
- http://bedaleref.gvdesigncontract.net/uploads/1/3/1/4/131454012/mixozanedifugeva.pdf
- https://cdn.shopify.com/s/files/1/0433/4492/0734/files/letijokobivu.pdf
- https://cdn.shopify.com/s/files/1/0433/0687/7080/files/77650869017.pdf
- https://cdn.shopify.com/s/files/1/0428/4809/2323/files/11424644860.pdf
- https://cdn.shopify.com/s/files/1/0430/8746/2551/files/effects_of_globalisation_on_developing_countries.pdf
- https://cdn.shopify.com/s/files/1/0437/8820/6238/files/trotter_525_treadmill_manual.pdf
- https://cdn.shopify.com/s/files/1/0429/2778/4095/files/2004_ford_f150_owners_manual.pdf
- https://cdn.shopify.com/s/files/1/0433/6805/4949/files/era_cenozoica_unam.pdf
- https://cdn.shopify.com/s/files/1/0435/0646/6975/files/america_s_test_kitchen_recipes.pdf
- https://cdn.shopify.com/s/files/1/0440/7217/3733/files/74980528237.pdf
- https://cdn.shopify.com/s/files/1/0427/9091/2159/files/7190372043.pdf
- https://cdn.shopify.com/s/files/1/0435/2992/8872/files/discord_formatting_color.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/
- https://cdn.shopify.com/s/files/1/044

Extracted artifacts 3

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off00006848.bin` `b444b7cb365e96bca39718a786857a355ebaa931c0ed59f6243329b3c3c897f7`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x6848	5128 bytes
`font_01_sfnt_off000079ab.bin` `b6835e3f04c4be50fa2850c3fbc134a88db8731b350229b88a60798042458c77`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x79AB	9776 bytes
`font_02_sfnt_off00009afc.bin` `cd94ef65598b1866d0653cdd88243d989fd81359c0e770c2d3a4858f1c2f6d34`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x9AFC	4324 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.