PDF malware analysis — malicious · d9e3e9efc18446a2

MALICIOUS

PDF

40.3 KB Created: 2020-08-14 20:32:20 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)

MD5: a8899887040c2a9d7fa290a1f5f3fc98 SHA-1: ba9ec0cd7d4a2d2d4a5e1310b89d06da43ad5991 SHA-256: d9e3e9efc18446a2d6e284453b193409f7e9725f058ec2b773ec9c385dc15bd5

150 Risk Score

Malware Insights

MITRE ATT&CK

T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF contains numerous embedded links, with a critical heuristic firing indicating a link to known malicious redirector infrastructure at 'https://ttraff.ru/pify?keyword=fault+tree+analysis+template+word'. This URL is presented as a 'fault tree analysis template word', a common lure for users seeking templates. The PDF also exhibits characteristics of a link farm, with many external links, including one to 'https://cdn.shopify.com/s/files/1/0432/7967/9646/files/98051186740.pdf'. The ML classifier strongly flagged this PDF as malicious.

Machine Learning

Nyx PDF Classifier malicious score 1.0000

Heuristics 3

PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK

PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM

Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://ttraff.ru/pify?keyword=fault+tree+analysis+template+word
- http://files.roadiesrule.com/uploads/1/3/1/4/131453109/e6d131417cd7.pdf
- http://files.georgeskisscollection.com/uploads/1/3/1/4/131454521/4569512.pdf
- http://gimoguz.ohiocensus.org/uploads/1/3/1/6/131607600/91f4658.pdf
- https://cdn.shopify.com/s/files/1/0432/7967/9646/files/98051186740.pdf
- https://cdn.shopify.com/s/files/1/0433/0687/7080/files/godikuka.pdf
- https://cdn.shopify.com/s/files/1/0447/4185/3333/files/california_dmv_handbook.pdf
- https://cdn.shopify.com/s/files/1/0438/8998/3640/files/kusofivi.pdf
- https://cdn.shopify.com/s/files/1/0435/7901/5331/files/enterprise_risk_management_template.pdf
- https://cdn.shopify.com/s/files/1/0431/0358/4409/files/71537012900.pdf
- https://cdn.shopify.com/s/files/1/0435/2271/9912/files/65997276838.pdf
- https://cdn.shopify.com/s/files/1/0434/1648/6040/files/ganimo.pdf
- https://cdn.shopify.com/s/files/1/0432/8534/8510/files/wajuxoniwaj.pdf
- https://cdn.shopify.com/s/files/1/0439/1357/6603/files/7414509020.pdf
- https://cdn.shopify.com/s/files/1/0429/1110/5183/files/wijenuji.pdf
- https://cdn.shopify.com/s/files/1/0431/6594/1917/files/problemas_psicologicos_en_nios.pdf
- https://cdn.shopify.com/s/files/1/0429/6127/2983/files/french_to_english_dictionary_free.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off00006064.bin` `b3d8298e3c21ce3fc1a5be2d0feaaa5f2609e21a069fbd48fcb1d52752d19eb3`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x6064	5252 bytes
`font_01_sfnt_off00007242.bin` `18e9ef3c8f99a320e56779f9ef98a7391083d6d7e1c91c44e5e9fe175bc3cf6c`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x7242	9980 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.