PDF malware analysis — malicious · 97145e3dd0f681d1

MALICIOUS

PDF

42.7 KB Created: 2020-09-12 09:47:48 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)

MD5: eac5306e580122303393da8cf6e813d0 SHA-1: 8300ccd5ed8ce5b5a7a5558fedb64af3f9dcc0c4 SHA-256: 97145e3dd0f681d1bf05672b87ca8b45edc9494177ffc4211f606f1b185560f9

154 Risk Score

Malware Insights

MITRE ATT&CK

T1566.002 Phishing: Spearphishing Attachment T1204.002 Malicious Link

The PDF contains a link to a known malicious redirector, ttraff.me, which is disguised as a search result. The document body, though heavily obfuscated, contains the same URL and appears to be generated by wkhtmltopdf. The presence of a link farm heuristic further suggests a malicious intent to redirect users to potentially harmful content.

Machine Learning

Nyx PDF Classifier malicious score 1.0000

Heuristics 4

PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK

PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM

Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL

The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://ttraff.me/pify?keyword=karthik+raj+photos+hd
- https://static.usrfiles.com/ugd/b8c837_f5e07f0d016147b8b28ddc512b72ef60.pdf
- https://static.usrfiles.com/ugd/144d27_4d1576d573ee427dbea6dbb417304bf6.pdf
- https://static.usrfiles.com/ugd/bb10c5_c7232b3d13274475ac5437380724fa26.pdf
- https://static.usrfiles.com/ugd/b4a829_a9d9e1f5bea64358a100988ec077f09b.pdf
- https://static.usrfiles.com/ugd/0ebc1f_bd22d94e8afa4d39972d7aecf7f4edb3.pdf
- https://static.usrfiles.com/ugd/857e61_331ed1f2eb254adab152dbed4c8fef2f.pdf
- https://static.usrfiles.com/ugd/1acd69_c992da8235df4fb18d5dba50dae495c5.pdf
- https://static.usrfiles.com/ugd/f68081_6ff40138ac02492a84efe519669b9d8c.pdf
- https://static.usrfiles.com/ugd/4c4e45_d99104c8ac334830b11ac05294f8c378.pdf
- https://static.usrfiles.com/ugd/c81504_e8e1f61b0c9b4f57b327d815215f6161.pdf
- https://static.usrfiles.com/ugd/20d83a_5f21f9df51e84504b0cfc299629421cf.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 3

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off000054d8.bin` `535137901d5962e4ebf92e2296db55368b4b1a1c1aacd13bd524d52127e8f1fe`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x54D8	5124 bytes
`font_01_sfnt_off0000663b.bin` `ea6d0e38598c8bda4423248d9a10bb622d8353c85eda2eb2773292584997fbcb`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x663B	5948 bytes
`font_02_sfnt_off00007974.bin` `e2b7e88a6588da7e111ae5f73444f2dfabfa855707d38eb3476c2d50b16cb6e0`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x7974	9908 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.