PDF malware analysis — malicious · b203be43e8ee32e6

MALICIOUS

PDF

47.6 KB Created: 2020-08-06 03:22:42 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)

MD5: c2e119237194f404e5de5f31ba7c9c9c SHA-1: 37579633af1a00f85ee84308458314fff4da2ea9 SHA-256: b203be43e8ee32e6d7ce11369ed460751296f232113b98cb4e70fbe0907abf37

150 Risk Score

Malware Insights

MITRE ATT&CK

T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF contains a large number of embedded links, with one heuristic specifically identifying it as a PDF link farm. The primary malicious URL, `https://ttraff.com/pify?keyword=cascarilla+de+arroz+como+sustrato+pdf`, is flagged as a malicious redirector. The ML classifier also strongly indicated maliciousness. The document body appears to be largely obfuscated or contains metadata rather than user-facing content, but the presence of numerous links and the malicious redirector strongly suggest a phishing or SEO manipulation attack.

Machine Learning

Nyx PDF Classifier malicious score 1.0000

Heuristics 3

PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK

PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM

Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://ttraff.com/pify?keyword=cascarilla+de+arroz+como+sustrato+pdf
- http://files.navp.co.uk/uploads/1/3/0/9/130968956/kojiva_sapegitoxani.pdf
- http://files.lauraheathstout.com/uploads/1/3/2/6/132695575/ab266ae9.pdf
- http://files.espanishblues.com/uploads/1/3/0/7/130775592/b63c53f230537.pdf
- http://files.fhpsc.ca/uploads/1/3/1/4/131454190/sikifunem.pdf
- http://files.firedglass.org/uploads/1/3/2/6/132683017/3727699.pdf
- https://cdn.shopify.com/s/files/1/0437/3577/7445/files/kifiwalapadavov.pdf
- https://cdn.shopify.com/s/files/1/0430/4296/3613/files/sumakatafanojafigedikuf.pdf
- https://cdn.shopify.com/s/files/1/0431/9212/3560/files/le_fond_diffus_cosmologique.pdf
- https://cdn.shopify.com/s/files/1/0427/9356/6364/files/54953371422.pdf
- https://cdn.shopify.com/s/files/1/0437/1808/2709/files/4038959231.pdf
- https://cdn.shopify.com/s/files/1/0431/4556/0225/files/61367381163.pdf
- https://cdn.shopify.com/s/files/1/0428/7738/6918/files/59906108680.pdf
- https://cdn.shopify.com/s/files/1/0435/1868/9432/files/84323369439.pdf
- https://cdn.shopify.com/s/files/1/0428/2767/7852/files/sawuxazibobivekaruje.pdf
- https://cdn.shopify.com/s/files/1/0431/8402/9854/files/89326724386.pdf
- https://cdn.shopify.com/s/files/1/0434/1838/6588/files/wiwazokukipina.pdf
- https://cdn.shopify.com/s/files/1/0430/4211/1650/files/nuwajosowaleku.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off000078f0.bin` `25e846bd267b59f338751e59d6300a7e2a16c98ad7a9ebc5b5f21948036c46ba`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x78F0	5256 bytes
`font_01_sfnt_off00008abb.bin` `101c6b441b7d306c220fdd9a5701751550d9c6d49325431fc794cee1d75a28c0`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x8ABB	11320 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.