PDF malware analysis — malicious · 9b194fa5599a4aca

MALICIOUS

PDF

43.8 KB Created: 2020-09-16 20:54:43 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)

MD5: 9eb1c4580ccd9ca2739427dd82554c9d SHA-1: 4b5f0ab407d0786ae860f55a8bb7f011d875e10b SHA-256: 9b194fa5599a4aca8e9e9b911403af915e2fd785e1e2ff3b204171703ed0aed2

150 Risk Score

Malware Insights

MITRE ATT&CK

T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF contains a large number of embedded links, many of which point to a redirector service. The primary malicious URL identified is https://ttraff.me/wix?keyword=stellaris+psionics+guide, which is likely used to funnel victims to further malicious content. The document's structure and the presence of numerous links suggest a link farm or phishing attempt disguised as a guide.

Machine Learning

Nyx PDF Classifier malicious score 1.0000

Heuristics 3

PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK

PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM

Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://ttraff.me/wix?keyword=stellaris+psionics+guide
- https://6ac6b175-02cd-40e0-9960-2199c43047b2.filesusr.com/ugd/e54fc7_05bc63f561bc42d1b0fa316bdd9b340e.pdf?index=true
- https://96948ab6-ce57-49cf-aa4a-ea6d3ef1a8dd.filesusr.com/ugd/33a16d_1c1302f2c8d5405bbcb95698e6a386f0.pdf?index=true
- https://d02db221-8a50-47d3-9a40-06aa1776f308.filesusr.com/ugd/c57cae_f7a3e1bfeb0a461f8f8e3a5086968f3c.pdf?index=true
- https://fe7dc57c-b455-4593-bd61-a5a75a2ee1e7.filesusr.com/ugd/b81754_97f829e086fd4570809e210119745463.pdf?index=true
- https://080c02c7-1560-421b-ac69-dd2fc71e6ee8.filesusr.com/ugd/9ff9b8_6ed6d2127d534b9ba4d9667783eacee7.pdf?index=true
- https://0e637bb3-57a0-4996-a09f-537da1a0eb8f.filesusr.com/ugd/685707_9b7602275d38479cb756589a88d65ebb.pdf?index=true
- https://cdn.shopify.com/s/files/1/0435/4742/6975/files/11509331673.pdf
- https://cdn.shopify.com/s/files/1/0429/1559/4393/files/wogujakazelowevo.pdf
- https://cdn.shopify.com/s/files/1/0435/4415/0165/files/list_of_adverbs_of_time.pdf
- https://cdn.shopify.com/s/files/1/0435/3795/7023/files/two_step_inequality_word_problems_worksheet.pdf
- https://cdn.shopify.com/s/files/1/0430/6396/7906/files/11330894720.pdf
- https://cdn.shopify.com/s/files/1/0435/7265/8335/files/bfg_story_book.pdf
- https://cdn.shopify.com/s/files/1/0439/9503/7854/files/53411255134.pdf
- https://cdn.shopify.com/s/files/1/0430/8579/1393/files/nekewi.pdf
- https://cdn.shopify.com/s/files/1/0430/8356/3162/files/33984798756.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off00006bda.bin` `5d78c9c212a59d07cce47c1306ec34f6847fa40c692076cc972c306d1b1aebab`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x6BDA	5344 bytes
`font_01_sfnt_off00007e0f.bin` `52d32e2a21200c63f4ee37971b1c63f011615e2c8668fa6f36730aaa172408b5`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x7E0F	10652 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.