PDF malware analysis — malicious · b1d887735ce52d32

MALICIOUS

PDF

43.1 KB Created: 2020-09-01 07:24:03 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)

MD5: c91ef9dbec5c699a9d395951283209c8 SHA-1: 9d018f0420ebdae52cf62c6c4007aba166603b24 SHA-256: b1d887735ce52d320aee0e806ed6fbe6973b76706217ffb5fe7778b8c428c1ff

152 Risk Score

Malware Insights

MITRE ATT&CK

T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF contains a link to a redirector hosted on 'ttraff.ru' which is flagged as malicious. The document body, though heavily obfuscated, contains text related to 'upcoming battle royale games android' and the malicious URL. This suggests a social engineering lure to drive traffic to malicious sites, likely for further exploitation or malware delivery.

Machine Learning

Nyx PDF Classifier malicious score 1.0000

Heuristics 4

PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK

PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM

Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL

The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://ttraff.ru/wix?keyword=upcoming+battle+royale+games+android
- https://static.usrfiles.com/ugd/b8c837_da00b4db468d47fd86cf241cd1d0a477.pdf
- https://static.usrfiles.com/ugd/9ff9b8_d235abcfd4384d6b99ef29aee3c6894b.pdf
- https://static.usrfiles.com/ugd/345929_e4097f18400c44ac9541c0773c446ccc.pdf
- https://static.usrfiles.com/ugd/04e6f9_4d39ea1b429c4663844a7b3607edf3f9.pdf
- https://cdn.shopify.com/s/files/1/0434/7628/7648/files/61708058004.pdf
- https://cdn.shopify.com/s/files/1/0431/2930/7296/files/texas_form_05_102.pdf
- https://cdn.shopify.com/s/files/1/0432/5556/2398/files/bovutulojulomizi.pdf
- https://cdn.shopify.com/s/files/1/0435/6128/7839/files/basic_calculus_book.pdf
- https://cdn.shopify.com/s/files/1/0433/5930/5880/files/cashflow_101_game_sheet.pdf
- https://cdn.shopify.com/s/files/1/0431/5666/8573/files/65882517491.pdf
- https://cdn.shopify.com/s/files/1/0435/1551/0938/files/budatuletivubuxudor.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 3

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off00005d4f.bin` `3f406d359e471e9bf8203f405e0424dc127698137bf43f6e68924ae8f87db7c5`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x5D4F	5412 bytes
`font_01_sfnt_off00006f92.bin` `ce305d30354e230bff605ecc1aafc4d654f9968b24c908d19e0e17e9e5d8bb4a`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x6F92	9984 bytes
`font_02_sfnt_off000091c3.bin` `4fcfa7c68d76e23b667942a3ac892d2d5d88346478daafc61479ad4df4af3dd3`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x91C3	4324 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.