PDF malware analysis — malicious · f04bb00911760b92

MALICIOUS

PDF

37.9 KB Created: 2020-08-29 10:38:54 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)

MD5: 9e2505b76ff02a4e3e71cf9c7efdee3f SHA-1: 6d2da389d93fd87583f65ff51bf545cd86f16da8 SHA-256: f04bb00911760b9251f00368dc0be74c002c14cbd0bc743383652f42ad59eb97

150 Risk Score

Malware Insights

MITRE ATT&CK

T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF file was identified as malicious by an ML classifier and contains a link farm designed to distribute other PDFs. One of the embedded URLs, 'https://ttraff.ru/wix?keyword=riven+rank+calculator', is flagged as a known malicious redirector. The document body, though heavily garbled, appears to contain references to the 'Riven rank calculator' and the tool used to generate the PDF, suggesting a lure or spamming attempt.

Machine Learning

Nyx PDF Classifier malicious score 1.0000

Heuristics 3

PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK

PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM

Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://ttraff.ru/wix?keyword=riven+rank+calculator
- https://static.usrfiles.com/ugd/b8c837_0f14f3c6ac4b44149e830a109770851b.pdf
- https://static.usrfiles.com/ugd/b8c837_228a3867b1294af7bf5aa8fe154c1dba.pdf
- https://static.usrfiles.com/ugd/b8c837_0d860f7797634891a029e289f4d33d41.pdf
- https://static.usrfiles.com/ugd/b8c837_41ce40455aa4495d8fbe82d0d08190ec.pdf
- https://static.usrfiles.com/ugd/b8c837_d457b9076ddf4cb4a6e51fa9596e6b48.pdf
- https://static.usrfiles.com/ugd/b8c837_6483d99039724b7689b13b32537406ac.pdf
- https://static.usrfiles.com/ugd/b8c837_9efea030c12f4ddcbf79c469a37b49f8.pdf
- https://static.usrfiles.com/ugd/b8c837_3a9e319c0919441899b43172727d5cb5.pdf
- https://static.usrfiles.com/ugd/b52961_aea91de32ddb43248d9801da8e9ef534.pdf
- https://static.usrfiles.com/ugd/b8c837_1cb4107600054da8b5f169b8a7abdea4.pdf
- https://static.usrfiles.com/ugd/b8c837_7f6ba444c7db4b49a039b5a1b5b8059a.pdf
- https://static.usrfiles.com/ugd/b8c837_8432177643f44956bbf81b136dba065b.pdf
- https://static.usrfiles.com/ugd/b8c837_e861cdc6299c4cf8adb30d40da9b057c.pdf
- https://cdn.shopify.com/s/files/1/0433/8037/5710/files/vuseperamabamevekeroleg.pdf
- https://cdn.shopify.com/s/files/1/0435/2147/4714/files/75918574481.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 3

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off00004968.bin` `14c137d5a4036d77824a8814e32b02d47d80ac547d50f50b8e273de1643b0243`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x4968	4628 bytes
`font_01_sfnt_off00005932.bin` `23b20d07e24c066919b53a590c4d7dc3b4e5f82868dfc190c5296998f212d26b`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x5932	10432 bytes
`font_02_sfnt_off00007c9f.bin` `ff5f0ef16caf3e97cd1984b3a03ea88e11eab8cf63d2ee006085a4b9995833f3`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x7C9F	4324 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.