PDF malware analysis — malicious · a53d79ac0431eb7b

MALICIOUS

PDF

56.9 KB Created: 2020-08-30 12:26:34 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)

MD5: c1150b7162562500762f2431c8efe700 SHA-1: a3d572df358cc1afd89d92916906d13487dd93fa SHA-256: a53d79ac0431eb7b1ba760cb195ec8021fb8051339eb0831f96a29e451cedbef

150 Risk Score

Malware Insights

MITRE ATT&CK

T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF was flagged as malicious due to containing a large number of external links, a technique often used for SEO poisoning or to distribute malicious content. One of the embedded URLs, 'https://ttraff.ru/wix?keyword=cowboy+bebop+intro', is identified as a known malicious redirector. The document body contains garbled text but includes the same malicious URL and several benign-looking Shopify URLs, suggesting a lure to a malicious site.

Machine Learning

Nyx PDF Classifier malicious score 1.0000

Heuristics 3

PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK

PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM

Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://ttraff.ru/wix?keyword=cowboy+bebop+intro
- https://cdn.shopify.com/s/files/1/0432/0247/8237/files/zuwibadenek.pdf
- https://cdn.shopify.com/s/files/1/0437/0880/9384/files/gorozimavewukon.pdf
- https://cdn.shopify.com/s/files/1/0437/7041/3207/files/batman_vs_superman_pelicula_complte.pdf
- https://cdn.shopify.com/s/files/1/0430/4420/8797/files/24762996451.pdf
- https://cdn.shopify.com/s/files/1/0437/6595/6760/files/lizutaponajoruga.pdf
- https://static.usrfiles.com/ugd/f80014_e6c252db7c61458eb5bedd2ed355de8c.pdf
- https://static.usrfiles.com/ugd/71fd01_9fac98313d8a4bd9ab9e1da2cbd1c54e.pdf
- https://static.usrfiles.com/ugd/b8c837_6750a3ee64b34a2597d692cbba752b09.pdf
- https://static.usrfiles.com/ugd/b8c837_cff675cc254f44c1bde6a67e3e295c02.pdf
- https://static.usrfiles.com/ugd/f84671_575c477f67884e819cb5cbb36dcb8c48.pdf
- https://static.usrfiles.com/ugd/b8c837_867dfd62903a4df59efb9f9b30a9b231.pdf
- https://static.usrfiles.com/ugd/f84671_3475e64a35c444419a27a13df0035318.pdf
- https://static.usrfiles.com/ugd/e3ff21_395686c6bc2543e7bcc758e2cd2e892d.pdf
- https://static.usrfiles.com/ugd/804ff6_70bde35ccf9149a68bb501b4b388a468.pdf
- https://cdn.shopify.com/s/files/1/0430/1458/6517/files/96649441888.pdf
- https://cdn.shopify.com/s/files/1/0448/5156/0609/files/gb_shaw_arms_and_the_man.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 3

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off000089fc.bin` `f31be713b88adf1a58562231047ac041fd00c0bb8127f721a9af2335f014bd8a`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x89FC	7340 bytes
`font_01_sfnt_off0000a29e.bin` `d378c250f742781dd05b2ae76ac5270b4a91d1e57020e73eb7b0c33c25379bc3`	pdf-font-stream	PDF embedded font (sfnt) at offset 0xA29E	4632 bytes
`font_02_sfnt_off0000b282.bin` `2c55f22198e036ee43abcb0d3b572f037990dd90d66207abe6ecf0c4bcf9e896`	pdf-font-stream	PDF embedded font (sfnt) at offset 0xB282	10720 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.