PDF malware analysis — malicious · da0ca50f1de8f5f0

MALICIOUS

PDF

44.6 KB Created: 2020-08-21 13:48:40 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)

MD5: c975d780f4146dcc074e1028a82d4e77 SHA-1: 591049c9c7b8f4d99f09a05845812791be7f5d8b SHA-256: da0ca50f1de8f5f064f86300fa8c72d606e10b3696b67894d4ea6ef4607ba1e0

152 Risk Score

Malware Insights

MITRE ATT&CK

T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF contains a link to a known malicious redirector, ttraff.cc, which is disguised as a "Cinema 4D text animation template". This suggests a social engineering lure to drive traffic to malicious infrastructure. The PDF also hosts a large number of external links, many pointing to Shopify domains, likely as part of a link farm to improve SEO for malicious content. No scripts were extracted from this sample.

Machine Learning

Nyx PDF Classifier malicious score 1.0000

Heuristics 4

PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK

PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM

Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL

The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://ttraff.cc/pify?keyword=cinema+4d+text+animation+template
- http://files.fibromyalgiamadesimple.com/uploads/1/3/0/9/130969403/956476.pdf
- http://files.katelyns-creations.com/uploads/1/3/1/4/131437249/xukatewemavipu.pdf
- https://cdn.shopify.com/s/files/1/0429/9731/7783/files/zonalokubepabujevi.pdf
- https://cdn.shopify.com/s/files/1/0432/4111/1716/files/89819931979.pdf
- https://cdn.shopify.com/s/files/1/0428/8082/7558/files/tifoxejatagomawux.pdf
- https://cdn.shopify.com/s/files/1/0434/7366/6213/files/60219691519.pdf
- https://cdn.shopify.com/s/files/1/0430/5348/2138/files/56459779143.pdf
- https://cdn.shopify.com/s/files/1/0430/4686/3005/files/juxupozotujuxuxazuve.pdf
- https://cdn.shopify.com/s/files/1/0435/1610/0776/files/71488206295.pdf
- https://cdn.shopify.com/s/files/1/0432/9088/6312/files/transportation_worksheet_preschool.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 3

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off00006459.bin` `9fc008bd0ad2e2f75ccb901dd042bb048a8b78e38e5c8bbc8e376f87e7bc0b72`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x6459	4796 bytes
`font_01_sfnt_off0000749b.bin` `dc809b587c451fcb51e2f57b02c44bd9e77361285ccff6aa433e2021958a1b62`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x749B	10228 bytes
`font_02_sfnt_off000097b8.bin` `0d0f64e27578eb124b8bc81c7eceacdd166e22eddd95c81328e9fbd7de2a6333`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x97B8	4324 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.