PDF malware analysis — malicious · d5536028f4bc2122

MALICIOUS

PDF

69.1 KB Created: 2020-08-10 08:26:28 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)

MD5: 98736e6bfc36dd8711d6046a2c76b4d2 SHA-1: a6feb58a3dffb023d8ed3a03fd2d9328cb7534b7 SHA-256: d5536028f4bc2122cab1b2dda3325f6502cb530a67f37f9c02bfebc2f5c60e2d

150 Risk Score

Malware Insights

MITRE ATT&CK

T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF contains numerous embedded links, with a critical heuristic firing indicating a malicious redirector at 'https://ttraff.ru/pify?keyword=alphabet+numbers+chart+pdf'. This suggests the document is designed to trick users into visiting malicious sites. The ML classifier also strongly flagged this PDF as malicious. No scripts were extracted from this sample.

Machine Learning

Nyx PDF Classifier malicious score 1.0000

Heuristics 3

PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK

PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM

Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://ttraff.ru/pify?keyword=alphabet+numbers+chart+pdf
- http://files.mikaylabourquephotography.com/uploads/1/3/1/3/131380337/foliwexozuboti_bazozanin_muxukakopo_sezuru.pdf
- http://files.heavenlyfreshfarm.com/uploads/1/3/2/6/132681293/84bfea63.pdf
- http://files.ccamchurch.org/uploads/1/3/1/4/131410479/tilisedeben.pdf
- http://files.globalmusicp.com/uploads/1/3/1/4/131437806/zegeniliritesob.pdf
- http://files.oxbowriversnorkeling.com/uploads/1/3/0/7/130739251/bidisu_kuwadapaduju_wajunubu_metiwosa.pdf
- https://cdn.shopify.com/s/files/1/0434/4610/8312/files/cement_manufacturing_handbook.pdf
- https://cdn.shopify.com/s/files/1/0433/7467/4083/files/83218050191.pdf
- https://cdn.shopify.com/s/files/1/0432/0421/4942/files/95043778426.pdf
- https://cdn.shopify.com/s/files/1/0436/8600/2838/files/ziralexomo.pdf
- https://cdn.shopify.com/s/files/1/0430/2045/1997/files/sojijazulizuzadokuraga.pdf
- https://cdn.shopify.com/s/files/1/0431/7190/5698/files/sizufozofolibi.pdf
- https://cdn.shopify.com/s/files/1/0430/7766/4929/files/70404483498.pdf
- https://cdn.shopify.com/s/files/1/0430/0754/1401/files/vejajakujisegapumi.pdf
- https://cdn.shopify.com/s/files/1/0428/3082/3583/files/wepeturositikivixolu.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 4

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`stream_006_off0000e9f6.bin` `deaee9bbab035303903f78f66820634ed744560edfa5db2d5fa3f0872755478d`	decompressed-pdf-stream	PDF FlateDecoded stream at offset 0xE9F6	19300 bytes
`font_00_sfnt_off000090bb.bin` `5dae99a47ded29101266e1cc6eadef0543547adcf4f93e1e2a7a537a72b25bbd`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x90BB	7032 bytes
`font_01_sfnt_off0000a8a2.bin` `bd9e975873dd23926aa7848a302f2d8b8c4a29d2edd04c4d1c1aed430d030e78`	pdf-font-stream	PDF embedded font (sfnt) at offset 0xA8A2	5524 bytes
`font_02_sfnt_off0000bb35.bin` `27c651fd75dd60b100cf27633058985b808070bca37934af70e0c35913c6dc44`	pdf-font-stream	PDF embedded font (sfnt) at offset 0xBB35	15224 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.