PDF malware analysis — malicious · aa08d66c729c80a7

MALICIOUS

PDF

44.6 KB Created: 2020-08-22 10:15:35 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)

MD5: 997c023b2a17316be69bcae23a2aec4a SHA-1: e98962b58cf9fb2781e4eb2e34216e99504663e9 SHA-256: aa08d66c729c80a7ee2ba939d88802b42bc06fb282c5875b3ed3de2fdafd5fea

150 Risk Score

Malware Insights

MITRE ATT&CK

T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF contains a high number of embedded links, many pointing to external PDF files, a common tactic for SEO poisoning or link farming. One critical heuristic identified a link to a known malicious redirector at 'https://ttraff.cc/pify?keyword=niv+integrated+study+bible+pdf'. This suggests the document is designed to redirect users to malicious content, likely for phishing or malware distribution. No scripts were extracted, but the presence of the malicious redirector is a strong indicator of malicious intent.

Machine Learning

Nyx PDF Classifier malicious score 1.0000

Heuristics 3

PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK

PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM

Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://ttraff.cc/pify?keyword=niv+integrated+study+bible+pdf
- http://rugeku.freebiequeen13.net/uploads/1/3/0/7/130775062/004a953a59b5.pdf
- http://files.paskepestcontrol.com/uploads/1/3/2/6/132682230/jajuperejurivep-naretoso.pdf
- http://gebavige.lorrainenilsonphotography.com/uploads/1/3/0/8/130874163/7778b1c3d3.pdf
- http://mafinon.transactionbankingacademy.com/uploads/1/3/1/4/131483152/8ce7755c.pdf
- https://cdn.shopify.com/s/files/1/0434/3565/5335/files/threats_to_auditor_independence.pdf
- https://cdn.shopify.com/s/files/1/0435/1095/6196/files/puvikovisuwilepokis.pdf
- https://cdn.shopify.com/s/files/1/0440/0994/7301/files/72139677957.pdf
- https://cdn.shopify.com/s/files/1/0436/5769/1289/files/data_structures_and_algorithm_java.pdf
- https://cdn.shopify.com/s/files/1/0430/9480/2589/files/xuzezupuvefodo.pdf
- https://cdn.shopify.com/s/files/1/0428/9318/1095/files/formal_letter_template_ielts.pdf
- https://cdn.shopify.com/s/files/1/0428/1165/4307/files/pikupomulawadefu.pdf
- https://cdn.shopify.com/s/files/1/0431/1928/0288/files/tofuluromagenikafelamen.pdf
- https://cdn.shopify.com/s/files/1/0429/0327/3628/files/depelumodukowefolu.pdf
- https://cdn.shopify.com/s/files/1/0437/6189/3534/files/5971054351.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 3

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off000060b5.bin` `cc1841a094dac440a49b9a4b98a2edf110351ad0c56c157fdcdb3b264b30bbe5`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x60B5	5252 bytes
`font_01_sfnt_off0000729d.bin` `9d87119596ebc36d1fb724c66a8645c8b998118de44b46667b71faee1b71f684`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x729D	10288 bytes
`font_02_sfnt_off000095cd.bin` `b50a2106bf82917db0cd3cf88f63c5e8cc3298b343ace5cffc591b35df33d24c`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x95CD	4324 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.