PDF malware analysis — malicious · b688f96a82b61dc5

MALICIOUS

PDF

41.4 KB Created: 2020-08-11 22:46:38 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)

MD5: bcf0dcd1acfe85130c36698e02ad8893 SHA-1: 97cc6af60ea82302c9763624c63489fc64da452a SHA-256: b688f96a82b61dc5c83bf66b9d9da5a9538bc050560a1f2764a5483e8122a624

150 Risk Score

Malware Insights

MITRE ATT&CK

T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF file was flagged by multiple critical heuristics for containing malicious redirector links and a large number of embedded external links, indicative of a link farm. The primary malicious URL identified is https://ttraff.ru/pify?keyword=cesarea+definicion+pdf, which is a known malicious redirector. The document body contains garbled text but also includes the same malicious URL and numerous benign-looking Shopify URLs, suggesting an attempt to disguise malicious activity within a large volume of links. The ML classifier also strongly indicated maliciousness.

Machine Learning

Nyx PDF Classifier malicious score 1.0000

Heuristics 3

PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK

PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM

Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://ttraff.ru/pify?keyword=cesarea+definicion+pdf
- http://files.homeschoolpartners.net/uploads/1/3/0/7/130775027/zetow-zagadaru.pdf
- http://files.earforlanguage.com/uploads/1/3/1/4/131454158/54c9c.pdf
- http://baker.gratitudetravels.com/uploads/1/3/2/6/132695471/9575692.pdf
- https://cdn.shopify.com/s/files/1/0430/7035/7653/files/tawibavetasafenu.pdf
- https://cdn.shopify.com/s/files/1/0432/6889/8966/files/automobile_engineering_books_in_bengali.pdf
- https://cdn.shopify.com/s/files/1/0440/1859/8053/files/amino_acids_structure_classification_and_their_properties.pdf
- https://cdn.shopify.com/s/files/1/0434/4378/1792/files/todafijijedamaw.pdf
- https://cdn.shopify.com/s/files/1/0430/4555/2277/files/waserix.pdf
- https://cdn.shopify.com/s/files/1/0438/1841/8333/files/search_doc_on_ipad.pdf
- https://cdn.shopify.com/s/files/1/0434/4712/4135/files/vawevipaluw.pdf
- https://cdn.shopify.com/s/files/1/0433/0687/7080/files/5676577217.pdf
- https://cdn.shopify.com/s/files/1/0436/8223/4521/files/99668991553.pdf
- https://cdn.shopify.com/s/files/1/0435/8311/1325/files/73748437751.pdf
- https://cdn.shopify.com/s/files/1/0432/0477/1999/files/56741893311.pdf
- https://cdn.shopify.com/s/files/1/0434/0023/3112/files/sudefufugikalemizo.pdf
- https://cdn.shopify.com/s/files/1/0433/3672/8726/files/dapebepixirite.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off000064b6.bin` `9df54196efffce608a56dd36e6f6e25803a2fcc61fbbfa46043c76978889bc29`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x64B6	5024 bytes
`font_01_sfnt_off000075d2.bin` `6fd5ae09a3a7301f08c2b68ad3f1e204d06d53eb6b4fa5d5b9c71f2155bc38c6`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x75D2	10612 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.