PDF malware analysis — malicious · c08881c5da8efc31

MALICIOUS

PDF

42.8 KB Created: 2020-08-11 23:48:24 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)

MD5: c3538941c63701929d10432d05f7a305 SHA-1: 293c42969f250b9fe8d88e5860dad65af0e2f578 SHA-256: c08881c5da8efc31855c1c0cdfc3c3ef5ece1f809794c0d1d5498b4b1cd0a767

150 Risk Score

Malware Insights

MITRE ATT&CK

T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF contains a critical heuristic firing for a malicious redirector link, specifically `https://ttraff.ru/pify?keyword=can+t+help+falling+in+love+piano+chords+pdf`. This URL is presented within a document body that appears to be a lure for piano chord information. The PDF also exhibits characteristics of a link farm, with numerous embedded URLs, many pointing to `cdn.shopify.com` which is likely used to host or proxy the malicious content. The ML classifier also strongly flagged this PDF as malicious.

Machine Learning

Nyx PDF Classifier malicious score 1.0000

Heuristics 3

PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK

PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM

Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://ttraff.ru/pify?keyword=can+t+help+falling+in+love+piano+chords+pdf
- http://kosuzi.notesmove.com/uploads/1/3/1/8/131857631/rolotimemaminod.pdf
- http://zamonepiw.johnknoxhouston.org/uploads/1/3/1/1/131163599/4541725.pdf
- http://wuzelebi.swanseaspeechandlanguage.co.uk/uploads/1/3/1/3/131379578/2971268.pdf
- https://cdn.shopify.com/s/files/1/0434/2933/1100/files/66572069841.pdf
- https://cdn.shopify.com/s/files/1/0434/4607/5542/files/can_i_tink_lyrics.pdf
- https://cdn.shopify.com/s/files/1/0431/4916/4698/files/2785666783.pdf
- https://cdn.shopify.com/s/files/1/0436/5837/9417/files/xivubupe.pdf
- https://cdn.shopify.com/s/files/1/0427/6997/3415/files/wenetoduputexenadokizexi.pdf
- https://cdn.shopify.com/s/files/1/0430/4646/9793/files/c_s_lewis_space_trilogy.pdf
- https://cdn.shopify.com/s/files/1/0431/3694/2234/files/xubabebadoxabavi.pdf
- https://cdn.shopify.com/s/files/1/0431/5627/5362/files/jowipenesur.pdf
- https://cdn.shopify.com/s/files/1/0431/0709/0581/files/tibiroxirata.pdf
- https://cdn.shopify.com/s/files/1/0435/5037/6099/files/makalah_budaya_bali.pdf
- https://cdn.shopify.com/s/files/1/0430/5757/8138/files/noluzuti.pdf
- https://cdn.shopify.com/s/files/1/0427/6604/1244/files/wevujiwopive.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 3

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off00004ed8.bin` `23a2aeb84b64351baab03c7304a42b1697296a35d08e38d5f6f06def6f3987ae`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x4ED8	5288 bytes
`font_01_sfnt_off000060d7.bin` `4fe77f325468297b27fc956a84e3735805536eeeb416236a3833f0e6e7f985bf`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x60D7	14440 bytes
`font_02_sfnt_off00008e51.bin` `b50a2106bf82917db0cd3cf88f63c5e8cc3298b343ace5cffc591b35df33d24c`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x8E51	4324 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.