PDF malware analysis — malicious · 96959e7ae9ff9651

MALICIOUS

PDF

43.1 KB Created: 2020-08-31 05:59:15 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)

MD5: bf9e4b03d5147a970b96a2d8215d1767 SHA-1: 4cdc7dacc97226252165f4e52f905ced208f57c7 SHA-256: 96959e7ae9ff9651c0af2badb81fdb15cb2898d4103d0f657749b5eb6ca51682

150 Risk Score

Malware Insights

MITRE ATT&CK

T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF file was flagged as malicious by a machine learning classifier and contains a critical heuristic indicating it links to known malicious redirector infrastructure. Additionally, it exhibits characteristics of a PDF link farm, with numerous embedded URLs. One of the primary IOCs is the URL https://ttraff.cc/wix?keyword=presion+155+101, which is identified as a malicious redirector.

Machine Learning

Nyx PDF Classifier malicious score 1.0000

Heuristics 3

PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK

PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM

Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://ttraff.cc/wix?keyword=presion+155+101
- https://static.usrfiles.com/ugd/756799_41355e688cd846e3ab0a3433e77d0245.pdf
- https://static.usrfiles.com/ugd/d99ef3_2cbcccfcf5c94174afc0e8e3816330ad.pdf
- https://static.usrfiles.com/ugd/5438e3_6b9bf6cf1b334f67a6711ce898886e9a.pdf
- https://static.usrfiles.com/ugd/45fd81_a3efbb5d4d4d4c0abd21a0bf807698cb.pdf
- https://cdn.shopify.com/s/files/1/0433/0756/5214/files/cret_bursary_application_form_2020_download.pdf
- https://cdn.shopify.com/s/files/1/0433/2702/9400/files/minabewamal.pdf
- https://cdn.shopify.com/s/files/1/0427/9628/6111/files/3172196148.pdf
- https://cdn.shopify.com/s/files/1/0427/6623/7852/files/far_cry_4_patch_1._9_download.pdf
- https://cdn.shopify.com/s/files/1/0435/3579/4340/files/29932646903.pdf
- https://cdn.shopify.com/s/files/1/0449/0467/7543/files/comment_nouer_une_cravate_en_image.pdf
- https://cdn.shopify.com/s/files/1/0433/9000/9509/files/fatin_shidqia_yang_terdalam.pdf
- https://cdn.shopify.com/s/files/1/0431/7141/4167/files/57988335385.pdf
- https://cdn.shopify.com/s/files/1/0440/3340/9174/files/61635347189.pdf
- https://static.usrfiles.com/ugd/b8c837_eaec37f21ff64c6ca47c91c912292bbe.pdf
- https://static.usrfiles.com/ugd/a91264_16e64926aba1472da88e1ef37abd1587.pdf
- https://static.usrfiles.com/ugd/b8c837_b798244337974331a7ca0fb43a6ad61f.pdf
- https://static.usrfiles.com/ugd/aef5b7_5fb882169f6d4f32840af4fae81e0c6c.pdf
- https://static.usrfiles.com/ugd/856cea_3ec8055ff0104654b732339b4829360a.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off00006d4e.bin` `92c8df389a8896b857c8b33f47348c55cbfa77632bfb22d4e055599f9d69e568`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x6D4E	4756 bytes
`font_01_sfnt_off00007d91.bin` `5f3c84cae365b475ae30765b01fbd238302786ec39bcb04005e0a6f4c6289232`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x7D91	10012 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.