PDF malware analysis — malicious · a9f710405f6dbb87

MALICIOUS

PDF

45.1 KB Created: 2020-08-31 07:04:19 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)

MD5: 990b2e593630367521ca5b81ce30753e SHA-1: 91482fb480a057621b941059500a1bca57e8a0d0 SHA-256: a9f710405f6dbb87ca2c06a7c030788b34969fc46bb30d7324bf6f10b636ed50

150 Risk Score

Malware Insights

MITRE ATT&CK

T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF file contains a significant number of embedded URLs, with a critical heuristic firing indicating it's a malicious redirector link farm. The primary URL, 'https://ttraff.ru/wix?keyword=conditional+declarative+knowledge', is flagged as malicious. The document body, though heavily obfuscated, also contains this URL and numerous other links pointing to Shopify and static.usrfiles.com domains, suggesting a large-scale link farm operation. The ML classifier also strongly indicated maliciousness.

Machine Learning

Nyx PDF Classifier malicious score 1.0000

Heuristics 3

PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK

PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM

Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://ttraff.ru/wix?keyword=conditional+declarative+knowledge
- https://cdn.shopify.com/s/files/1/0437/7270/6977/files/38728712091.pdf
- https://cdn.shopify.com/s/files/1/0431/5411/2672/files/kemaxemirapuxu.pdf
- https://cdn.shopify.com/s/files/1/0462/6179/7013/files/plastic_gift_wrapping_sheets.pdf
- https://cdn.shopify.com/s/files/1/0435/2383/4024/files/mejivigaxosubumadiwekunij.pdf
- https://cdn.shopify.com/s/files/1/0427/6640/1692/files/57403174180.pdf
- https://cdn.shopify.com/s/files/1/0431/1724/8672/files/budojimususebiniwovebuxu.pdf
- https://static.usrfiles.com/ugd/cafc24_12d02619ef7a4fce860b40c6c22589ec.pdf
- https://static.usrfiles.com/ugd/b8c837_f1b405fb8ba84b7eadd8756f7b612aad.pdf
- https://static.usrfiles.com/ugd/5a1791_b90284debe214d5ead086204a2b1ec6a.pdf
- https://static.usrfiles.com/ugd/ee9d3f_2d023f5f5c194874a571d2cf6b9d798b.pdf
- https://static.usrfiles.com/ugd/8b9728_e5e713bac7664ed298f1d7f5f634ddc4.pdf
- https://static.usrfiles.com/ugd/5ecadc_6b638259443049298b388f656ae26b3f.pdf
- https://static.usrfiles.com/ugd/b8c837_e3adabb3da63441b94fc10baf91845ec.pdf
- https://static.usrfiles.com/ugd/b8c837_714e4135be8f4c96a179b8141231f395.pdf
- https://static.usrfiles.com/ugd/804ff6_028e08b8c4604cf8b2f50ec02338e618.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 3

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off00006557.bin` `3c9cd1db7369f28a87bf5c2e3434ae87704a487c26d5fcbef3f0ad2a1b7746b8`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x6557	4956 bytes
`font_01_sfnt_off00007659.bin` `c9d24dba62b8599770890a5ef8feec744dddabd5293a87ab8b6c73d0b0b022d2`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x7659	10304 bytes
`font_02_sfnt_off00009978.bin` `1062cd8ddf90f4344fa193b395386d5669df1a952e5759311ca261a71931f361`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x9978	4324 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.