PDF malware analysis — malicious · b38843250056d65c

MALICIOUS

PDF

33.9 KB Created: 2020-07-10 02:17:17 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)

MD5: a24eeded48dd4b4788c9846104fd1888 SHA-1: 16f31a22318c2dff1dc1d1e981dc41a08f5ca9de SHA-256: b38843250056d65c0b1279f5d0b9fa3005ac9793660b0704c361adedc3d118de

150 Risk Score

Malware Insights

MITRE ATT&CK

T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF contains numerous embedded links, many of which point to domains associated with SEO link farms. One prominent link redirects to 'ttraff.ru', a known malicious redirector. The document body, though partially obfuscated, includes keywords like 'Aisin water pump catalogue pdf' and references to 'wkhtmltopdf', suggesting a lure to disguise malicious links as legitimate content. The ML classifier also strongly indicated maliciousness.

Machine Learning

Nyx PDF Classifier malicious score 1.0000

Heuristics 3

PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK

PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM

Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://ttraff.ru/wb?keyword=aisin%20water%20pump%20catalogue%20pdf
- http://files.occmedfordcs.com/uploads/1/3/0/7/130738562/bukim-juwejeb.pdf
- http://files.ashleyparsonsyoga.com/uploads/1/3/2/7/132740415/newixebomufobezofawe.pdf
- http://files.rivermenrodandgunclub.com/uploads/1/3/2/3/132302973/nomegariwutok-wibiwu-visinatixubuj-sojimuta.pdf
- http://files.mewellc.com/uploads/1/3/0/9/130969503/dogup.pdf
- http://files.brianpiercelaw.com/uploads/1/3/1/8/131860204/niwis.pdf
- http://files.tjcsga.org/uploads/1/3/2/7/132740730/1f5813bb3.pdf
- http://files.2waytomobile.com/uploads/1/3/1/3/131380482/1735186.pdf
- https://xibojiwox.files.wordpress.com/2020/06/57610845419.pdf
- https://gozikes.files.wordpress.com/2020/06/zufisativu.pdf
- https://puponiwil.files.wordpress.com/2020/07/41108812325.pdf
- https://potataz.files.wordpress.com/2020/06/87070608995.pdf
- https://bafudanovowi.files.wordpress.com/2020/06/puwepemoxivokaxox.pdf
- https://cdn.shopify.com/s/files/1/0428/9835/8432/files/palafasejuzanuz.pdf
- https://cdn.shopify.com/s/files/1/0428/9835/8432/files/78539107281.pdf
- https://cdn.shopify.com/s/files/1/0428/9835/8432/files/kiwovanigefuminif.pdf
- https://cdn.shopify.com/s/files/1/0428/9835/8432/files/medade.pdf
- https://cdn.shopify.com/s/files/1/0433/0687/7080/files/pejolezogumulugadajo.pdf
- https://cdn.shopify.com/s/files/1/0433/0687/7080/files/xogasetixudaxaw.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off00004923.bin` `79f11b0f0fcd3f1987ca884947885850ab0c23f38a12420bf1baf2cc71d1c60c`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x4923	5440 bytes
`font_01_sfnt_off00005b92.bin` `689e64eb8b0fb765700208a09c424dbaa077b00a5745b6e34a13a9f03f549ffd`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x5B92	9180 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.