PDF malware analysis — malicious · b7f80531d188d2e5

MALICIOUS

PDF

140.8 KB Created: 2020-08-05 08:22:56 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)

MD5: c2e50525f3b8eec513f3103640c1b63d SHA-1: 421c1a0dcccb31b626966dbabf3d32e35e0f635e SHA-256: b7f80531d188d2e5cfe4463c17b26bd0dfd265176c9baf424c495c7b25277c2f

150 Risk Score

Malware Insights

MITRE ATT&CK

T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF contains a malicious redirector link disguised as a search result for 'Al quran english pdf'. This link, 'https://ttraff.ru/pify?keyword=al+quran+english+pdf', leads to known malicious infrastructure. The document also features a large number of external PDF links, many hosted on Shopify, suggesting a link farm or SEO manipulation tactic to distribute malicious content. The ML classifier strongly flagged this PDF as malicious.

Machine Learning

Nyx PDF Classifier malicious score 0.9999

Heuristics 3

PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK

PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM

Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://ttraff.ru/pify?keyword=al+quran+english+pdf
- http://files.2as.ency-education.com/uploads/1/3/0/7/130775309/cee3c1a153bf894.pdf
- http://files.loddoncommunitygym.com/uploads/1/3/2/7/132710795/950fa2051dc95bd.pdf
- http://files.jancancan.com/uploads/1/3/1/4/131406413/sosazidisajawaj-ledosol-vaxodavuv-ziwobedomanefon.pdf
- https://cdn.shopify.com/s/files/1/0433/0687/7080/files/9204741539.pdf
- https://cdn.shopify.com/s/files/1/0428/2518/7491/files/bonamagurudilinilunijajo.pdf
- https://cdn.shopify.com/s/files/1/0437/9266/2688/files/56734686139.pdf
- https://cdn.shopify.com/s/files/1/0431/7564/1247/files/duvugofiwuwivul.pdf
- https://cdn.shopify.com/s/files/1/0437/7319/8497/files/fetojekuxaz.pdf
- https://cdn.shopify.com/s/files/1/0434/0924/4317/files/baganowaz.pdf
- https://cdn.shopify.com/s/files/1/0431/6525/3789/files/kawakaburi_no_cherry.pdf
- https://cdn.shopify.com/s/files/1/0435/3818/6394/files/watson_glaser_critical_thinking_skills_test.pdf
- https://cdn.shopify.com/s/files/1/0427/7328/2983/files/80988371901.pdf
- https://cdn.shopify.com/s/files/1/0437/2021/2645/files/58438316105.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 4

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`stream_006_off0001ea97.bin` `2dfb21b0909806e6bb02e92f2450e6e6ff0e1b82169f170025099a8f2008ddbd`	decompressed-pdf-stream	PDF FlateDecoded stream at offset 0x1EA97	23664 bytes
`font_00_sfnt_off0001ae3f.bin` `d02ad8462a6884063f60d6a09a3ac19d0f6a931aa4fe6436b9c2ab4d3be16585`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x1AE3F	5420 bytes
`font_01_sfnt_off0001c0a0.bin` `d14b29611a9e789e90a6ad303df181ad23dbb6441c7b38cf3f486065adf5cbca`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x1C0A0	12744 bytes
`font_03_sfnt_off00021569.bin` `80e4970d4f0d87b59d83c19958edde3c4f1ed46a84b8e35c1ff2439433b13e0f`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x21569	6356 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.