PDF malware analysis — malicious · a0dd573e0e7b4522

MALICIOUS

PDF

54.6 KB Created: 2020-08-06 22:13:45 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)

MD5: a805bd898c125389233f31cc97435cba SHA-1: 5114a30b2a9090676c80fab044fa1919490c3430 SHA-256: a0dd573e0e7b4522da8dbce5c2ed16a0063c0546a9dcf7df5978e373e71f9311

150 Risk Score

Malware Insights

MITRE ATT&CK

T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF contains a malicious redirector link pointing to 'ttraff.ru', which is flagged as malicious. Additionally, it exhibits characteristics of a PDF link farm, with numerous links to external PDFs, many hosted on Shopify. The document body, though heavily obfuscated, contains the same redirector URL and a reference to 'wkhtmltopdf', suggesting it was generated by a tool for creating PDF documents, likely for malicious distribution. The ML classifier strongly indicates maliciousness.

Machine Learning

Nyx PDF Classifier malicious score 1.0000

Heuristics 3

PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK

PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM

Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://ttraff.ru/pify?keyword=estat%25C3%25ADstica+aplicada+an%25C3%25A1lise+explorat%25C3%25B3ria+de+dados+pdf
- http://files.ecinspired.com/uploads/1/3/2/6/132681660/61552d591.pdf
- http://lewodena.fifelake.org/uploads/1/3/1/6/131606027/733771aa8e0f613.pdf
- http://files.gravelroadhome.com/uploads/1/3/1/0/131070246/worep.pdf
- http://files.lauralorenz.com/uploads/1/3/1/3/131397987/wukug.pdf
- http://kodeli.stdympnas.com/uploads/1/3/1/6/131637257/majarunirar.pdf
- https://cdn.shopify.com/s/files/1/0430/7327/4018/files/1160348999.pdf
- https://cdn.shopify.com/s/files/1/0440/4543/5030/files/python_sqrt_function.pdf
- https://cdn.shopify.com/s/files/1/0433/0255/1716/files/94791341162.pdf
- https://cdn.shopify.com/s/files/1/0434/1488/0405/files/rifuwiruvowubafagixegox.pdf
- https://cdn.shopify.com/s/files/1/0430/0842/6143/files/dokuxovidezasusemo.pdf
- https://cdn.shopify.com/s/files/1/0430/5915/1009/files/73814380411.pdf
- https://cdn.shopify.com/s/files/1/0436/0211/6772/files/38605181676.pdf
- https://cdn.shopify.com/s/files/1/0428/6133/0591/files/76305667030.pdf
- https://cdn.shopify.com/s/files/1/0428/7148/8668/files/37795951266.pdf
- https://cdn.shopify.com/s/files/1/0428/3393/6547/files/dewomatarolokakutafago.pdf
- https://cdn.shopify.com/s/files/1/0433/5271/9515/files/vastu_shastra.pdf
- https://cdn.shopify.com/s/files/1/0433/0576/2974/files/mikudubonorobujona.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off0000870b.bin` `2a3b291841208e672035323979b53fe8118a01c6bd2d07e0af01a6ec01cb9353`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x870B	5600 bytes
`font_01_sfnt_off0000994f.bin` `f36c87f75c90a5e5a5e716380d10a13da88695003284a0a1388e0325ceb8bb3e`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x994F	16768 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.