PDF malware analysis — malicious · 9b396e2792b236a6

MALICIOUS

PDF

48.8 KB Created: 2020-08-20 22:21:23 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)

MD5: a4014bb99e12bf915a653c882f8672f2 SHA-1: f99db823aa8e8b356bb0e0567887158fdc33fcc9 SHA-256: 9b396e2792b236a6f01251641375e0efa0edcf473d3e1ebe7ec230359ae81dcb

150 Risk Score

Malware Insights

MITRE ATT&CK

T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF file contains a link to a known malicious redirector, ttraff.ru, which is used to obscure the final destination. The document body, though heavily obfuscated, contains the same URL and appears to be a lure related to 'auto sync android 7'. The presence of numerous other PDF links, many hosted on Shopify, suggests a link farm or SEO poisoning tactic to distribute the malicious PDF. No scripts were extracted, but the primary malicious activity observed is the redirection to a harmful URL.

Machine Learning

Nyx PDF Classifier malicious score 1.0000

Heuristics 3

PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK

PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM

Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://ttraff.ru/pify?keyword=auto+sync+android+7
- http://vizizoxib.insurancenewsmyrna.com/uploads/1/3/1/6/131606552/rabepov.pdf
- http://jixemidi.edisonhighcheer.com/uploads/1/3/0/7/130776322/tufubupidowubipoto.pdf
- https://cdn.shopify.com/s/files/1/0437/4259/3189/files/71700029419.pdf
- https://cdn.shopify.com/s/files/1/0435/5008/1183/files/super_pocket_bikes_for_sale.pdf
- https://cdn.shopify.com/s/files/1/0432/7315/8806/files/axial_wraith_kit_manual.pdf
- https://cdn.shopify.com/s/files/1/0432/7155/3188/files/daft_punk_technology_lyrics.pdf
- https://cdn.shopify.com/s/files/1/0437/8155/4325/files/vodibotajedigoteleje.pdf
- https://cdn.shopify.com/s/files/1/0433/4977/0408/files/mugozejetadawituge.pdf
- https://cdn.shopify.com/s/files/1/0455/6845/8917/files/vixemujukuvojamo.pdf
- https://cdn.shopify.com/s/files/1/0430/3778/6266/files/cessione_di_fabbricato_per_ospitalit.pdf
- https://cdn.shopify.com/s/files/1/0430/8185/9225/files/72538200111.pdf
- https://cdn.shopify.com/s/files/1/0434/0583/6444/files/makalah_tentang_pendidikan_agama_islam.pdf
- https://cdn.shopify.com/s/files/1/0428/9835/8432/files/gefoviliruvowej.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 3

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off00007508.bin` `01833107981753bb1151524396477486d2d1c6d049c7d76d963559761108f903`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x7508	4836 bytes
`font_01_sfnt_off00008582.bin` `821d1190dfac771969226fd2d756eb85380fb52b622bedfa1440bf83a1ec1512`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x8582	10420 bytes
`font_02_sfnt_off0000a8ae.bin` `0d0f64e27578eb124b8bc81c7eceacdd166e22eddd95c81328e9fbd7de2a6333`	pdf-font-stream	PDF embedded font (sfnt) at offset 0xA8AE	4324 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.