PDF malware analysis — malicious · b90f8c6cbf20f5b8

MALICIOUS

PDF

50.7 KB Created: 2020-08-29 17:50:35 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)

MD5: e790643de707e7765316a2c926160ecf SHA-1: 303dd062d8fe350b088f4395b81e3576ec5fc320 SHA-256: b90f8c6cbf20f5b8f10d10ca3e538a3ae3222d10ccd7e36588d6081102a48e63

154 Risk Score

Malware Insights

MITRE ATT&CK

T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF contains a prominent link to 'https://ttraff.link/wix?keyword=candydoll+evar+torrent', which is flagged as a malicious redirector. The document body also contains this URL and other links to external PDFs, suggesting a lure to malicious content. The ML classifier strongly supports the malicious nature of this PDF.

Machine Learning

Nyx PDF Classifier malicious score 1.0000

Heuristics 4

PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK

PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM

Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL

The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://ttraff.link/wix?keyword=candydoll+evar+torrent
- https://static.usrfiles.com/ugd/b8c837_4b55f49e693e46bea086a135bffa4e90.pdf
- https://static.usrfiles.com/ugd/b8c837_c190173c940b48559d2cda89728aa1a2.pdf
- https://static.usrfiles.com/ugd/d78803_90fb70abd6844de49e63d8f3747dcb22.pdf
- https://static.usrfiles.com/ugd/b8c837_e81b3a8bda664ba2b2e53345be4cb0df.pdf
- https://cdn.shopify.com/s/files/1/0429/1903/5033/files/33147310182.pdf
- https://cdn.shopify.com/s/files/1/0439/2953/4632/files/vafemadofif.pdf
- https://cdn.shopify.com/s/files/1/0436/0863/7602/files/yowhatsapp_apk_old_version.pdf
- https://cdn.shopify.com/s/files/1/0435/4116/8283/files/32363749379.pdf
- https://cdn.shopify.com/s/files/1/0433/7077/4693/files/33394608637.pdf
- https://cdn.shopify.com/s/files/1/0431/4857/4886/files/75005955515.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 4

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off00006e0b.bin` `29299a420a6e0481c7f62c16805aef75bcfe7145889bd83e866e751f05437041`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x6E0B	3812 bytes
`font_01_sfnt_off00007b97.bin` `d5b975aea848252162d4ae7e176492063ab3657fbb55f77e4f93bac6e2b96dfd`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x7B97	4564 bytes
`font_02_sfnt_off00008b37.bin` `b7b95fc01dd8d1944ddf2d30ee7eb6952629f712b744d1a71f8e045253ffc44e`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x8B37	10316 bytes
`font_03_sfnt_off0000ae6a.bin` `1062cd8ddf90f4344fa193b395386d5669df1a952e5759311ca261a71931f361`	pdf-font-stream	PDF embedded font (sfnt) at offset 0xAE6A	4324 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.