PDF malware analysis — malicious · da482f28b36bdfc2

MALICIOUS

PDF

69.8 KB Created: 2020-08-28 06:53:40 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)

MD5: c049f49a5028a4058855405b20fb2f1c SHA-1: 0ad5b9ceeec6ba54f08a761d7a92b52ee564e105 SHA-256: da482f28b36bdfc2716d2df9d55c755e1d6cbdb00439648d38c48492d6efebaa

150 Risk Score

Malware Insights

MITRE ATT&CK

T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF file was flagged by multiple critical heuristics indicating malicious redirector links and a link farm. The primary malicious URL, https://ttraff.ru/pify?keyword=..., is a known redirector. The document body contains numerous embedded URLs, including the malicious redirector and benign Shopify links, suggesting a phishing or redirection attempt. The ML classifier strongly supports the malicious verdict.

Machine Learning

Nyx PDF Classifier malicious score 1.0000

Heuristics 3

PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK

PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM

Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://ttraff.ru/pify?keyword=%25D8%25A7%25D9%2584%25D8%25B1%25D8%25B3%25D9%2585+%25D8%25A7%25D9%2584%25D8%25A8%25D9%258A%25D8%25A7%25D9%2586%25D9%258A+%25D9%2588%25D8%25A7%25D9%2584%25D8%25B1%25D8%25B3%25D9%2588%25D9%2585+%25D8%25A7%25D9%2584%25D8%25A8%25D9%258A%25D8%25A7%25D9%2586%25D9%258A%25D8%25A9+%25D9%2584%25D9%2584%25D8%25B5%25D9%2581
- http://files.christinarobohm.com/uploads/1/3/1/3/131384602/c3ec0c.pdf
- http://files.sassysewingandembroidery.com/uploads/1/3/0/7/130776275/xugolexog.pdf
- https://cdn.shopify.com/s/files/1/0440/4976/0406/files/48680185475.pdf
- https://cdn.shopify.com/s/files/1/0429/2299/9964/files/askep_anemia_defisiensi_besi.pdf
- https://cdn.shopify.com/s/files/1/0437/2440/6938/files/roduwoximisifoduz.pdf
- https://cdn.shopify.com/s/files/1/0432/3573/7764/files/pekomes.pdf
- https://cdn.shopify.com/s/files/1/0440/3465/4358/files/bonetrousle_holder_remix.pdf
- https://cdn.shopify.com/s/files/1/0428/3141/3415/files/40447671072.pdf
- https://cdn.shopify.com/s/files/1/0455/6242/9605/files/voxeganagudetujom.pdf
- https://cdn.shopify.com/s/files/1/0434/4882/8065/files/ielts_reading_answers_of_therapeutic.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 4

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`stream_006_off0000ce5b.bin` `fe7efe9d2fa196eaa69286cda074a0d2099bb8cda21ce6a65f0609c53a69c713`	decompressed-pdf-stream	PDF FlateDecoded stream at offset 0xCE5B	32336 bytes
`font_00_sfnt_off00008625.bin` `ca42d5ed38f04d35f6c6ef927e9c0e2abbbfec64d896d823d531a8752c72a089`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x8625	4068 bytes
`font_01_sfnt_off00009403.bin` `45c341efe787309ef1246e3503d13c8e0af362a07948040fb85871ffa2315ce1`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x9403	18184 bytes
`font_02_sfnt_off0000afcc.bin` `a33095dd0abfae7def260366eff9ff7906a754313a63389252aa0cd73cc7ed1e`	pdf-font-stream	PDF embedded font (sfnt) at offset 0xAFCC	8844 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.