PDF malware analysis — malicious · cdc6e9d9b172c492

MALICIOUS

PDF

43.5 KB Created: 2020-08-02 01:17:08 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)

MD5: a43ed6850b6b4f0184024f379c287417 SHA-1: ffdb5d56eaa29bdaf3e0504183df68b7609da465 SHA-256: cdc6e9d9b172c4926377f2d20d749310443f01bca651f8dc0cb3a6ea8c62bd00

150 Risk Score

Malware Insights

MITRE ATT&CK

T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF file contains a link to a known malicious redirector, ttraff.com, which is disguised as a pharmacy personal statement example. This heuristic, combined with the ML classifier's high confidence score, indicates a malicious intent to redirect users to harmful content. The document body, though heavily obfuscated, contains the target URL and references to other PDF files hosted on Shopify, suggesting a link farm or content-luring strategy.

Machine Learning

Nyx PDF Classifier malicious score 1.0000

Heuristics 3

PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK

PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM

Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://ttraff.com/pify?keyword=pharmacy+personal+statement+examples
- http://files.crazylecture.com/uploads/1/3/0/7/130739996/jozikugofexumi-tuluk-zavesimovag.pdf
- http://files.afrhdevelopment.com/uploads/1/3/0/7/130775503/jomogupe_demulefav_zizukukiju.pdf
- http://files.amityschuyler.com/uploads/1/3/0/7/130739827/4511926.pdf
- https://cdn.shopify.com/s/files/1/0429/7188/9815/files/50280456424.pdf
- https://cdn.shopify.com/s/files/1/0430/8477/5578/files/pidape.pdf
- https://cdn.shopify.com/s/files/1/0431/2691/5239/files/84103394180.pdf
- https://cdn.shopify.com/s/files/1/0433/0009/4112/files/12803303746.pdf
- https://cdn.shopify.com/s/files/1/0432/1653/5720/files/kukaduberijob.pdf
- https://cdn.shopify.com/s/files/1/0428/1712/6563/files/26667204907.pdf
- https://cdn.shopify.com/s/files/1/0440/1650/0886/files/siketetevigefidisenogiri.pdf
- https://cdn.shopify.com/s/files/1/0434/0292/0086/files/lapitukujaseje.pdf
- https://cdn.shopify.com/s/files/1/0433/6127/1959/files/37229001201.pdf
- https://cdn.shopify.com/s/files/1/0428/3963/8179/files/77324316931.pdf
- https://cdn.shopify.com/s/files/1/0433/2018/0894/files/83298598435.pdf
- https://cdn.shopify.com/s/files/1/0433/0392/7973/files/27395802019.pdf
- https://cdn.shopify.com/s/files/1/0436/1139/0115/files/dugupofuzigonevogineluwok.pdf
- https://cdn.shopify.com/s/files/1/0432/6067/4198/files/55588735499.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off00006c9b.bin` `8480833ca29724a6b1685d3385fa3ae583986243ed3b024b813c46d64d7e33c6`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x6C9B	5344 bytes
`font_01_sfnt_off00007eac.bin` `11467743168248e2fb96da0e504c7bea483b79517749d342e815ce98d5a3278c`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x7EAC	10092 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.