PDF malware analysis — malicious · a8403d3f5c7446ea

MALICIOUS

PDF

44.4 KB Created: 2020-09-09 19:46:00 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)

MD5: dd2e52ee2fc15076e2f72b12d794685e SHA-1: ed0398864206b1121b0046d5fab2ffedd124d4b5 SHA-256: a8403d3f5c7446eae61ababb47b3704ce2e3c528d5b5fca3a3963284f8288db7

152 Risk Score

Malware Insights

MITRE ATT&CK

T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF was flagged by a critical heuristic for linking to known malicious redirector infrastructure. Additionally, it contains a mass external PDF link farm, indicating a likely SEO poisoning or phishing campaign. The embedded URL 'https://ttraff.club/pify?keyword=bangla+movie+2019+new' is a primary indicator of this malicious activity.

Machine Learning

Nyx PDF Classifier malicious score 1.0000

Heuristics 4

PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK

PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM

Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL

The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://ttraff.club/pify?keyword=bangla+movie+2019+new
- http://rikuse.reclaimingbiblicalchristianity.com/uploads/1/3/1/6/131606174/5437211.pdf
- http://labujewe.minutemanindivisible.org/uploads/1/3/1/6/131637562/pegenozamoba.pdf
- http://files.catherineodriscoll.com/uploads/1/3/1/4/131452887/6873501.pdf
- http://nozevopip.chocolatelover.ph/uploads/1/3/1/4/131407227/307c283df154.pdf
- http://files.robertosmathnotes.com/uploads/1/3/1/6/131606583/c545eb732f69e86.pdf
- https://static.usrfiles.com/ugd/c3f88d_4c82c1475f714262b3558e8451d9a06e.pdf
- https://static.usrfiles.com/ugd/3c2e2e_74a90c9418d64d77b6a900ffcb32a871.pdf
- https://static.usrfiles.com/ugd/296484_b826e43463a24ce595337ed3b5e213a5.pdf
- https://static.usrfiles.com/ugd/837d34_259c2e0f60bb48898f8ed7e77fd497dc.pdf
- https://static.usrfiles.com/ugd/735189_e46bd9e8702d4cc9b267cbbaa0e19ed1.pdf
- https://cdn.shopify.com/s/files/1/0432/2423/6199/files/zitepomemipejijusolage.pdf
- https://cdn.shopify.com/s/files/1/0435/8022/7747/files/xaduwurasebadorigugosu.pdf
- https://cdn.shopify.com/s/files/1/0433/3781/0075/files/52789272185.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off00006e78.bin` `4a7625169df0fc995194eaa97954525857a70e72275630406b8f039209987985`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x6E78	5416 bytes
`font_01_sfnt_off000080f5.bin` `92cb7124dac70b5cca8ebc9d93b16c1d84ffadcb9ba5add6af5c17fa02356c56`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x80F5	10556 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.