PDF malware analysis — malicious · d9bbf5f785107474

MALICIOUS

PDF

37.7 KB Created: 2020-08-29 12:48:30 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)

MD5: 9a579fb0176e05247d5641b9ad9e8b6a SHA-1: c890fd1bf61ddb6d65a23c5d41610d0355928fc8 SHA-256: d9bbf5f7851074740562c1a5233768883d4512c33c174c8c1f857778dd920267

150 Risk Score

Malware Insights

MITRE ATT&CK

T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF file contains a large number of embedded links, characteristic of a link farm. One of these links, https://ttraff.com/wix?keyword=route+66+manhattan+transfer+sheet+mu, is flagged as a known malicious redirector. This suggests the document's primary purpose is to lure users to malicious websites through this link farm.

Machine Learning

Nyx PDF Classifier malicious score 1.0000

Heuristics 3

PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK

PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM

Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://ttraff.com/wix?keyword=route+66+manhattan+transfer+sheet+mu
- https://static.usrfiles.com/ugd/10b11f_c2dbac9db4cf48b389980640bd7315f4.pdf
- https://static.usrfiles.com/ugd/b8c837_456581d623724a0ba0fe5da1d497ffa4.pdf
- https://static.usrfiles.com/ugd/b8c837_d85633b8d99447e8aee8a0fc19199416.pdf
- https://static.usrfiles.com/ugd/b8c837_20112825a67444488be804422d35c2d6.pdf
- https://cdn.shopify.com/s/files/1/0432/2515/3698/files/tinkers_construct_2_modifiers.pdf
- https://cdn.shopify.com/s/files/1/0459/7127/5943/files/niledoxexilemewuxu.pdf
- https://cdn.shopify.com/s/files/1/0428/9354/1532/files/beseg.pdf
- https://cdn.shopify.com/s/files/1/0435/4487/1063/files/vunom.pdf
- https://cdn.shopify.com/s/files/1/0427/4742/9031/files/51233401145.pdf
- https://static.usrfiles.com/ugd/b8c837_58c29aafaa934d519071cae7d389eba7.pdf
- https://static.usrfiles.com/ugd/b8c837_f7b99b6464864c338379f84ed86d63f1.pdf
- https://static.usrfiles.com/ugd/b8c837_1e91a634fb4d42afa64c2b9967012a9c.pdf
- https://static.usrfiles.com/ugd/b8c837_c8a3b5f26b1c43e3b0c78f03e4a0e224.pdf
- https://static.usrfiles.com/ugd/b8c837_92d019ecb801464db47676ffecc597f4.pdf
- https://cdn.shopify.com/s/files/1/0433/0687/7080/files/magizokoluredofet.pdf
- https://cdn.shopify.com/s/files/1/0427/5847/1846/files/recipient_address_formal_letter.pdf
- https://cdn.shopify.com/s/files/1/0433/0687/7080/files/vunususojorimit.pdf
- https://cdn.shopify.com/s/files/1/0427/9074/8316/files/zonuvonabewed.pdf
- https://cdn.shopify.com/s/files/1/0438/4266/6656/files/79449674744.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off0000557f.bin` `b36e63f67de25b6b4c05672453a20efa907ddcec7523af0f4cf22327f1d097b0`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x557F	5136 bytes
`font_01_sfnt_off000066c7.bin` `738ba3191de1a815a1ae6bd39c56b42d813463ab14fae1476a9bd0db1310f424`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x66C7	10376 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.