PDF malware analysis — malicious · 98bf13d464431947

MALICIOUS

PDF

97.7 KB Created: 2020-07-30 23:33:36 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)

MD5: a2d717d3f153f8b508b8a88a6aa8682e SHA-1: 2bfc28f30bae35f5175a6988181681fe5d6d3fd0 SHA-256: 98bf13d46443194755e640a09169ff38f41b2c74502a20fd0a1adbba92f78562

150 Risk Score

Malware Insights

MITRE ATT&CK

T1566.002 Spearphishing Attachment T1059.001 PowerShell T1204.002 Malicious Link

The PDF contains numerous embedded links, with a critical heuristic identifying a malicious redirector at 'https://ttraff.ru/pify?keyword=automatic+control+pdf+download'. This suggests the document is designed to redirect users to malicious sites, likely for phishing or malware delivery. The presence of a large number of external PDF links, many hosted on Shopify, further indicates a link farm or content manipulation strategy. No scripts were extracted, but the PDF structure and heuristics strongly point to a malicious redirection attack.

Machine Learning

Nyx PDF Classifier malicious score 1.0000

Heuristics 3

PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK

PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM

Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://ttraff.ru/pify?keyword=automatic+control+pdf+download
- http://files.ohmyluxo.com/uploads/1/3/1/1/131164398/davanejekixever-vijetiteneta.pdf
- http://files.asl-universe.com/uploads/1/3/1/4/131437139/19dcc515f7e864.pdf
- http://files.drakekappaalphatheta.com/uploads/1/3/0/9/130969636/subinimapep.pdf
- http://files.crossfitwatford.co.uk/uploads/1/3/0/7/130739892/5374457.pdf
- http://files.stanleyjusticeproductions.com/uploads/1/3/1/4/131407028/872480177.pdf
- https://cdn.shopify.com/s/files/1/0434/4987/6630/files/womigawavanaji.pdf
- https://cdn.shopify.com/s/files/1/0432/1761/7057/files/78978481665.pdf
- https://cdn.shopify.com/s/files/1/0431/0358/4409/files/70374677560.pdf
- https://cdn.shopify.com/s/files/1/0431/3323/9457/files/23057972785.pdf
- https://cdn.shopify.com/s/files/1/0433/0687/7080/files/15125842299.pdf
- https://cdn.shopify.com/s/files/1/0440/6067/2165/files/tawuvebudoduji.pdf
- https://cdn.shopify.com/s/files/1/0431/4015/3505/files/jixilizawifezebosibumaje.pdf
- https://cdn.shopify.com/s/files/1/0437/0386/1401/files/tefemalekizurizaz.pdf
- https://cdn.shopify.com/s/files/1/0432/6113/2962/files/61100210405.pdf
- https://cdn.shopify.com/s/files/1/0428/4658/4999/files/lowiwomabo.pdf
- https://cdn.shopify.com/s/files/1/0428/9118/2243/files/ravoli.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off000146f7.bin` `28b92c91e8fd3a9c3cfd294e58cd5744025a452436974c4e173239847a0eae97`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x146F7	4968 bytes
`font_01_sfnt_off000157c6.bin` `c15514d37e7200aa05d8526967767d66f0ce91082b54632332e87f1a3e144385`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x157C6	9852 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.