PDF malware analysis — malicious · c07cb5b22d2fe02c

MALICIOUS

PDF

52.5 KB Created: 2020-08-02 11:27:53 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)

MD5: a8c22aef107741d1671d5aec3dbe857d SHA-1: 542422738a6ff4a4a973e271d31e0c92e593b072 SHA-256: c07cb5b22d2fe02c584c68bdc9b1044f8fa3e1be0c5fa21b54b9d1df4baf36f0

150 Risk Score

Malware Insights

MITRE ATT&CK

T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF file was flagged by multiple critical heuristics for containing malicious redirector links and a large number of external PDF links, suggesting a link farm. The primary malicious URL identified is 'https://ttraff.ru/pify?keyword=646+326+9293', which is likely used to redirect users to a malicious site. The document body contains obfuscated text and embedded URLs, further supporting the malicious intent.

Machine Learning

Nyx PDF Classifier malicious score 1.0000

Heuristics 3

PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK

PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM

Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://ttraff.ru/pify?keyword=646+326+9293
- http://files.erakah.com/uploads/1/3/1/3/131379940/6825812.pdf
- http://files.sacredsalontahoe.com/uploads/1/3/0/7/130775979/voxojonap.pdf
- http://files.anonymityfilms.com/uploads/1/3/0/7/130775939/meripidupini.pdf
- http://files.hopefulbyhope.ca/uploads/1/3/1/4/131408100/zagazajavemepijotot.pdf
- https://cdn.shopify.com/s/files/1/0433/3862/9270/files/xuvijofazunozaji.pdf
- https://cdn.shopify.com/s/files/1/0437/9744/6813/files/33808971590.pdf
- https://cdn.shopify.com/s/files/1/0438/0937/4365/files/xugewut.pdf
- https://cdn.shopify.com/s/files/1/0428/9835/8432/files/71860998709.pdf
- https://cdn.shopify.com/s/files/1/0434/1946/7943/files/wobet.pdf
- https://cdn.shopify.com/s/files/1/0438/5990/2624/files/vigomebamefadosuwi.pdf
- https://cdn.shopify.com/s/files/1/0436/9563/6633/files/17546244238.pdf
- https://cdn.shopify.com/s/files/1/0433/5216/2462/files/xudogokibajegilago.pdf
- https://cdn.shopify.com/s/files/1/0433/0687/7080/files/28068876324.pdf
- https://cdn.shopify.com/s/files/1/0430/6105/1546/files/xcf_to_png.pdf
- https://cdn.shopify.com/s/files/1/0432/8154/7417/files/34507920624.pdf
- https://cdn.shopify.com/s/files/1/0428/9898/1030/files/11146800471.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 3

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off00007d95.bin` `7a2ebe3cb1347baf7875d63fde3d7a8e9a550f69e17aa8773b4a233d2e333647`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x7D95	4088 bytes
`font_01_sfnt_off00008b4d.bin` `4fb6a9ee73cc03bb724361c162ffad3bd23ae145607274bf429cb94f1015af56`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x8B4D	13836 bytes
`font_02_sfnt_off0000b72f.bin` `4fcfa7c68d76e23b667942a3ac892d2d5d88346478daafc61479ad4df4af3dd3`	pdf-font-stream	PDF embedded font (sfnt) at offset 0xB72F	4324 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.