PDF malware analysis — malicious · ea277513a1e61ad7

MALICIOUS

PDF

63.1 KB Created: 2020-08-31 04:16:57 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)

MD5: a418b1ddc73fcba98edae412f018eae4 SHA-1: 00f4126ca419aa071805730250731516b6510047 SHA-256: ea277513a1e61ad7ef9a2aa94fde346665d220389f9b8c0372c34a73c2bb71cb

150 Risk Score

Malware Insights

MITRE ATT&CK

T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF file contains a large number of embedded links, with 28 external PDF links identified. One of these links, 'https://ttraff.cc/wix?keyword=yoshi+island+advance', is flagged as a known malicious redirector. The document body appears to be obfuscated or corrupted, but the presence of the malicious link and the link farm structure strongly suggest a phishing or redirection attempt.

Machine Learning

Nyx PDF Classifier malicious score 1.0000

Heuristics 3

PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK

PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM

Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://ttraff.cc/wix?keyword=yoshi+island+advance
- https://cdn.shopify.com/s/files/1/0433/0687/7080/files/zogubarekerebadopotuleju.pdf
- https://cdn.shopify.com/s/files/1/0428/4658/4999/files/gubumifogilopo.pdf
- https://cdn.shopify.com/s/files/1/0433/3309/1480/files/buguviravomabukapupod.pdf
- https://static.usrfiles.com/ugd/d17951_b9ab3b113520443da5c36f4982639703.pdf
- https://static.usrfiles.com/ugd/ec0c41_2d1490dc78164f46bca4d42364dd6eef.pdf
- https://static.usrfiles.com/ugd/9219f8_2122601f95c54a639761712a80f2e35f.pdf
- https://static.usrfiles.com/ugd/b8c837_9947050d62384407bd39a6aeef7e5bc2.pdf
- https://static.usrfiles.com/ugd/8de238_c725cc0288b84479abf4ca7b538cd806.pdf
- https://static.usrfiles.com/ugd/b8c837_7f9e051fc1024cb1a83a812d439373db.pdf
- https://cdn.shopify.com/s/files/1/0429/8611/1137/files/fupazokuxumulerub.pdf
- https://cdn.shopify.com/s/files/1/0428/3380/5471/files/55392697310.pdf
- https://cdn.shopify.com/s/files/1/0432/1322/6143/files/db_legends_mod_apk_unlimited_gems.pdf
- https://cdn.shopify.com/s/files/1/0430/8605/3527/files/55421875561.pdf
- https://cdn.shopify.com/s/files/1/0433/6667/8696/files/2017_chevrolet_suburban_premier_manual.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 4

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off00009de1.bin` `4dafa83c11721e9acaea99e98df8af795c2341af9380c715f1e6111708f08d8e`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x9DE1	4300 bytes
`font_01_sfnt_off0000ad09.bin` `3342614f76c00515840f1d8fe54d862fd427ca4434825c4970870a2bfa7723a5`	pdf-font-stream	PDF embedded font (sfnt) at offset 0xAD09	4660 bytes
`font_02_sfnt_off0000bcc5.bin` `c08be198942f3764eecab86d6989e699cab9ac1d105a1a8e8d5a5b4190175591`	pdf-font-stream	PDF embedded font (sfnt) at offset 0xBCC5	10528 bytes
`font_03_sfnt_off0000e0d4.bin` `cd94ef65598b1866d0653cdd88243d989fd81359c0e770c2d3a4858f1c2f6d34`	pdf-font-stream	PDF embedded font (sfnt) at offset 0xE0D4	4324 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.