PDF malware analysis — malicious · ee171e084c4a877d

MALICIOUS

PDF

37.9 KB Created: 2020-08-18 15:42:29 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)

MD5: c86a405efe7a1ce5fee2530fe2edb0de SHA-1: c42d65b8b090ca60e65ab49f88832618145800b8 SHA-256: ee171e084c4a877d604d63a2985b3b36e7af3ed12320ed00eb9ba897c4c5cbaa

152 Risk Score

Malware Insights

MITRE ATT&CK

T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF contains multiple embedded links, with one identified as a known malicious redirector. The document body, though heavily obfuscated, also contains the URL 'https://ttraff.com/pify?keyword=ram+bhagwan+hd+wallpaper', suggesting a lure to a malicious site. The presence of a PDF link farm further indicates an attempt to distribute malicious content or manipulate search engine results.

Machine Learning

Nyx PDF Classifier malicious score 1.0000

Heuristics 4

PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK

PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM

Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL

The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://ttraff.com/pify?keyword=ram+bhagwan+hd+wallpaper
- http://tazak.marshallcoauburnclub.com/uploads/1/3/2/7/132740435/4b0d402162d0.pdf
- https://cdn.shopify.com/s/files/1/0433/5563/5880/files/banff_national_park_map.pdf
- https://cdn.shopify.com/s/files/1/0428/0962/2687/files/radutu.pdf
- https://cdn.shopify.com/s/files/1/0439/1786/9211/files/2328069689.pdf
- https://cdn.shopify.com/s/files/1/0428/9835/8432/files/13578549785.pdf
- https://cdn.shopify.com/s/files/1/0432/3577/0535/files/21886624994.pdf
- https://cdn.shopify.com/s/files/1/0430/4224/2709/files/tajuj.pdf
- https://cdn.shopify.com/s/files/1/0434/8523/3318/files/cockatiel_diet.pdf
- https://cdn.shopify.com/s/files/1/0432/9606/3652/files/ashrae_handbook_applications.pdf
- https://cdn.shopify.com/s/files/1/0437/3653/1095/files/bharat_movie_song_slow_motion_pagalworld.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 3

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off00004cbc.bin` `bf006cfb96c6b9c90c20f77f19c4e2c54787a8eabcd2d52a6add1fb48a6e4c83`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x4CBC	5436 bytes
`font_01_sfnt_off00005f20.bin` `269504f1696a1423b3f25f9f2bff2ae4dd228b500021b3f653df9eadc2405ee2`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x5F20	9820 bytes
`font_02_sfnt_off000080e5.bin` `7bf0bec78960cb9a99449b057be819f31820f7f52d19c39090e7c56773ab9dc8`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x80E5	2572 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.