PDF malware analysis — malicious · 8146846ae10e1934

MALICIOUS

PDF

80.1 KB Created: 2020-09-19 10:42:24 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)

MD5: a754c1f300ea92162c40a324d429aeb9 SHA-1: 7572481acad4cd098430a12482b64b97db74943a SHA-256: 8146846ae10e1934c81b317020bcf7ef727cdb185274dfabaec2b94723b9c1bf

150 Risk Score

Malware Insights

MITRE ATT&CK

T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF contains a heuristic firing for a malicious redirector link, specifically pointing to 'https://ttraff.ru/wb?keyword=toy%20story%20personajes%204'. This URL is presented within the document body, suggesting a social engineering lure. The presence of a large number of embedded links, many pointing to benign content, indicates a link farm strategy to obscure the malicious destination. The ML classifier also strongly flagged this PDF as malicious.

Machine Learning

Nyx PDF Classifier malicious score 1.0000

Heuristics 3

PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK

PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM

Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://ttraff.ru/wb?keyword=toy%20story%20personajes%204
- https://8ea4ecf4-444c-4d8d-bd47-06459c923012.filesusr.com/ugd/2f8cea_dfe4becab00b414c9176ca5822fdf843.pdf?index=true
- https://11203e67-46e0-47f8-80fd-1323626053f5.filesusr.com/ugd/5dc3ca_aef9d74b28274123981f27e883f551bc.pdf?index=true
- https://e2bfbb42-c4c3-4e75-abd2-b568fff02561.filesusr.com/ugd/69695d_3bd0294897ab456a802666e788ad7183.pdf?index=true
- https://1e7cc32b-74ba-400f-9016-1112d07894fe.filesusr.com/ugd/8c0e65_a18477f67a8649279e05891f6d42dbc3.pdf?index=true
- https://cdn.shopify.com/s/files/1/0438/4689/3730/files/beduwiwuw.pdf
- https://cdn.shopify.com/s/files/1/0429/8542/2997/files/2018_edelman_trust_barometer_report.pdf
- https://cdn.shopify.com/s/files/1/0439/0102/6472/files/wefowikugibe.pdf
- https://cdn.shopify.com/s/files/1/0456/8422/8255/files/23631280811.pdf
- https://cdn.shopify.com/s/files/1/0452/1800/5143/files/bhagavad_gita_in_marathi.pdf
- https://cdn.shopify.com/s/files/1/0435/3087/9136/files/50588240422.pdf
- https://cdn.shopify.com/s/files/1/0436/5864/1561/files/novosinavulasapu.pdf
- https://cdn.shopify.com/s/files/1/0482/8584/3617/files/36813019297.pdf
- https://cdn.shopify.com/s/files/1/0481/5300/2135/files/xuradonasebowasetozav.pdf
- https://cdn.shopify.com/s/files/1/0437/2014/7112/files/25338073564.pdf
- https://cdn.shopify.com/s/files/1/0427/5693/1751/files/fivojitobumare.pdf
- https://cdn.shopify.com/s/files/1/0428/9144/4390/files/86370602815.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off0000ec23.bin` `1a1090b9bec2f9a44b5369138d7d5a896ce1563c849cdd07467a17e95a3df17b`	pdf-font-stream	PDF embedded font (sfnt) at offset 0xEC23	4996 bytes
`font_01_sfnt_off0000fd3e.bin` `5ebb18ae708b5204e4ac0a44a1df07919d6aced46fc47c38cccf2f52afa963f7`	pdf-font-stream	PDF embedded font (sfnt) at offset 0xFD3E	17632 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.