PDF malware analysis — malicious · 90e1800124878923

MALICIOUS

PDF

38.6 KB Created: 2020-08-02 19:39:07 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)

MD5: c24ca5459c7b7dd545331867ca152418 SHA-1: af5637575f0ca9add91289b5424e7fc0e3ac786b SHA-256: 90e180012487892329e03ddce7f57e3f9e8be3a612c9b4f7c0d3a0eab1edce35

150 Risk Score

Malware Insights

MITRE ATT&CK

T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF contains a critical heuristic firing for a malicious redirector link pointing to 'ttraff.ru'. Additionally, it exhibits a PDF link farm behavior, embedding numerous links, many of which point to Shopify-hosted PDFs. The ML classifier also strongly flagged this PDF as malicious. The primary intent appears to be directing users to potentially harmful external sites through a deceptive link farm.

Machine Learning

Nyx PDF Classifier malicious score 1.0000

Heuristics 3

PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK

PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM

Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://ttraff.ru/pify?keyword=tiffany+thompson+x+art
- http://files.texasstaycations.com/uploads/1/3/2/6/132681556/neforike.pdf
- http://files.mwprofessionalphotography.com/uploads/1/3/1/4/131453393/rifigun.pdf
- http://files.cphsvirtualmuseum.com/uploads/1/3/2/6/132681885/kizafetabu.pdf
- http://files.aes-tx.com/uploads/1/3/1/8/131871568/futokumukivi.pdf
- http://files.amishfictionbooks.com/uploads/1/3/0/9/130969036/mibitutalevogi-bopoxevanasupim.pdf
- https://cdn.shopify.com/s/files/1/0432/4474/8950/files/lasopirebusamez.pdf
- https://cdn.shopify.com/s/files/1/0428/9472/1187/files/56608878242.pdf
- https://cdn.shopify.com/s/files/1/0435/2881/4760/files/93159351077.pdf
- https://cdn.shopify.com/s/files/1/0433/8542/1978/files/66232572464.pdf
- https://cdn.shopify.com/s/files/1/0431/0751/6578/files/36513650630.pdf
- https://cdn.shopify.com/s/files/1/0430/4617/4877/files/duxomenudatibulufutokoj.pdf
- https://cdn.shopify.com/s/files/1/0430/3470/6069/files/uninstall_and_reinstall_windows_defender_windows_10.pdf
- https://cdn.shopify.com/s/files/1/0429/7159/4911/files/79747339291.pdf
- https://cdn.shopify.com/s/files/1/0441/3535/0424/files/59999248868.pdf
- https://cdn.shopify.com/s/files/1/0429/7896/7703/files/40459800657.pdf
- https://cdn.shopify.com/s/files/1/0434/2756/1621/files/jopepijewuteve.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 3

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off00005068.bin` `4ef3a964d039f053a58468aae28adbbbf2a75927edf9f049df3a376c1d7d3d16`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x5068	5228 bytes
`font_01_sfnt_off0000620b.bin` `daad3f347a4f42f432ee9983e619a7c063e36761dba5934b469418034847e28e`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x620B	1800 bytes
`font_02_sfnt_off00006a99.bin` `1612d54f23da952d3cb5d2133a575b75962815a0cc51555d4fea349e7535321e`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x6A99	10120 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.