PDF malware analysis — malicious · 84a0ae6299240918

MALICIOUS

PDF

164.6 KB Created: 2020-08-14 00:47:01 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)

MD5: e5b4f7452a52024c6d4b1239c480741d SHA-1: 73a95400874ad33855867f70860cf66508c6b3aa SHA-256: 84a0ae629924091823651da5ae3ab943a5b40a496fae286e80e69be4004bc3c1

94 Risk Score

Malware Insights

MITRE ATT&CK

T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF file contains a link to a known malicious redirector, ttraff.com, which is disguised with a keyword related to 'Charlie Puth'. The ML classifier strongly flagged this PDF as malicious. The document body, though heavily obfuscated, contains the same malicious URL, indicating a phishing or social engineering attempt to redirect the user to malicious content.

Machine Learning

Nyx PDF Classifier malicious score 1.0000

Heuristics 3

PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK

PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL

The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://ttraff.com/pify?keyword=charlie+puth+how+long+album
- http://files.boninglassdesigns.com/uploads/1/3/1/6/131608037/jogidiwapitijoruzefo.pdf
- http://files.hotelbethlehemshoppe.com/uploads/1/3/1/3/131379406/bopubo.pdf
- http://wifube.stillnessrocks.com/uploads/1/3/1/1/131163494/nivafite.pdf
- http://files.acoptical.com/uploads/1/3/0/7/130738681/mokabi-rokaw-munewe.pdf
- https://cdn.shopify.com/s/files/1/0433/2532/5467/files/srimad_bhagavatam_canto_1_espaol.pdf
- https://cdn.shopify.com/s/files/1/0428/6421/4182/files/lavivugolipujonegekajave.pdf
- https://cdn.shopify.com/s/files/1/0431/2317/9677/files/vuxexes.pdf
- https://cdn.shopify.com/s/files/1/0432/2508/8168/files/gixirojipegowi.pdf
- https://cdn.shopify.com/s/files/1/0438/4020/9056/files/nukeke.pdf
- https://cdn.shopify.com/s/files/1/0428/9835/8432/files/66083684812.pdf
- https://cdn.shopify.com/s/files/1/0427/6797/4556/files/pufekutilovuguguvex.pdf
- https://cdn.shopify.com/s/files/1/0433/0687/7080/files/xezunegudowafosixezuvi.pdf
- https://cdn.shopify.com/s/files/1/0428/9835/8432/files/rasamonuje.pdf
- https://cdn.shopify.com/s/files/1/0428/0349/5071/files/10422774516.pdf
- https://cdn.shopify.com/s/files/1/0450/3502/8630/files/12821241758.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 3

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off00013e81.bin` `17d4b07bdf3350b81a1dedd21d338f7677e9167f4bd3608c62abfb43a350fd9d`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x13E81	86124 bytes
`font_01_sfnt_off00024034.bin` `7e4c4ea7dba817dbb98a0c82bdf167589696202c1a2405d8062010504cfd18cc`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x24034	5192 bytes
`font_02_sfnt_off000251c2.bin` `6cf893022b5c789571029db38a2c4a9a00212a8e792030826ce3173697916ce8`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x251C2	16336 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.