PDF malware analysis — malicious · 85afe2ad5432ca51

MALICIOUS

PDF

50.6 KB Created: 2020-08-30 05:52:01 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)

MD5: afd5903bae6aa4e7aac5b42c8cccfb72 SHA-1: 8731cb682b0c9bd8868aeeb09fa1f1e33b4b86ce SHA-256: 85afe2ad5432ca510d71fbdf9cd638a65c27fab0e9e4aee5fefb17e253af0cce

150 Risk Score

Malware Insights

MITRE ATT&CK

T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF file contains a link to a known malicious redirector, ttraff.cc, which is likely used to deliver a malicious payload. The document body, though heavily obfuscated, contains this URL and appears to be a lure related to educational content. The ML classifier strongly flagged this PDF as malicious, and the presence of a link farm further supports malicious intent.

Machine Learning

Nyx PDF Classifier malicious score 1.0000

Heuristics 3

PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK

PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM

Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://ttraff.cc/wix?keyword=compl%25C3%25A9ment+de+phrase+cm1
- https://static.usrfiles.com/ugd/b8c837_915fbe5ade9346ce8f67f7844ead7270.pdf
- https://static.usrfiles.com/ugd/b8c837_2fcfb4a00c3547b6955354f727d50ad7.pdf
- https://static.usrfiles.com/ugd/72b0e7_e40318c1dab2429ba39f79f485165b2a.pdf
- https://static.usrfiles.com/ugd/e2c6c1_cc939a5669aa4fc8989d36864f2d4e23.pdf
- https://static.usrfiles.com/ugd/b8c837_478ef8dea919480d9464e6ab8d2cf77f.pdf
- https://static.usrfiles.com/ugd/82e28d_4052cc70e6c847b385e037dfabd8ae74.pdf
- https://static.usrfiles.com/ugd/b8c837_48e37fcc113c452f908e00b5c7180b52.pdf
- https://cdn.shopify.com/s/files/1/0436/6827/5353/files/98117097078.pdf
- https://cdn.shopify.com/s/files/1/0428/8721/7311/files/duraheat_kerosene_forced_air_heater_manual.pdf
- https://cdn.shopify.com/s/files/1/0431/8704/4510/files/lion_air_boeing_737_max_crash_report.pdf
- https://cdn.shopify.com/s/files/1/0431/7049/6661/files/46166743463.pdf
- https://static.usrfiles.com/ugd/b8c837_eb15028794624703b85401b1264e92cb.pdf
- https://static.usrfiles.com/ugd/b8c837_7910ecf8492747a98f9ddf053568d30e.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/
- https://static.usrfiles.com/ugd/b8c837_48e37fcc113c452f908e00b5c7180b52.p

Extracted artifacts 4

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off00006138.bin` `1e62109085e22dcdaa51565600d585f6f266d84c47f881fad3f798e5ba4ae6fa`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x6138	5272 bytes
`font_01_sfnt_off000072a7.bin` `8d0e43ab73b5c2735f7bdaad1c93bbc8973d20d0834734b1908c68d90f537b3a`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x72A7	11884 bytes
`font_02_sfnt_off00009838.bin` `4935603ab55f76872287563a9769dd1c174124dacc281fee03fb2e864e4c444f`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x9838	16144 bytes
`font_03_sfnt_off0000ad40.bin` `d1f4a20f0e35a0564be54678b929bb8c711862c507f070c2b9a6abea8daf4378`	pdf-font-stream	PDF embedded font (sfnt) at offset 0xAD40	4324 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.