PDF malware analysis — malicious · f0d6b79db1947e7b

MALICIOUS

PDF

42.5 KB Created: 2020-08-30 06:21:55 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)

MD5: 02657b246eb7c6dd31b0f7154a6a3939 SHA-1: 786f92f00df2a19a414b1b0565ca3cedcdd47e7b SHA-256: f0d6b79db1947e7beb09016fb55ae2c553d02e1e899fe2ed9c70572a2b71155e

150 Risk Score

Malware Insights

MITRE ATT&CK

T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF was flagged as malicious due to a high number of embedded external links, a technique often used to redirect users to phishing sites or download malware. The primary malicious URL identified is https://ttraff.com/wix?keyword=formato+de+nota+de+remision+para+lle. While the document body contains text related to a 'Formato de nota de remision', it is heavily obfuscated and likely serves as a lure. No scripts were extracted from this sample.

Machine Learning

Nyx PDF Classifier malicious score 1.0000

Heuristics 3

PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK

PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM

Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://ttraff.com/wix?keyword=formato+de+nota+de+remision+para+lle
- https://cdn.shopify.com/s/files/1/0427/9861/2636/files/42216758737.pdf
- https://cdn.shopify.com/s/files/1/0432/1011/3188/files/tufej.pdf
- https://cdn.shopify.com/s/files/1/0433/0687/7080/files/vatajimawi.pdf
- https://cdn.shopify.com/s/files/1/0440/1253/5958/files/commutative_property_of_multiplication_worksheets_3rd_grade.pdf
- https://static.usrfiles.com/ugd/f0f215_a6afccdc166d4c32974f394c4709cfbb.pdf
- https://static.usrfiles.com/ugd/b8c837_8f15cece40b245d68ae428b28317248d.pdf
- https://static.usrfiles.com/ugd/b8c837_2b2bcb4b26be4650989713ea16f496c3.pdf
- https://static.usrfiles.com/ugd/b8c837_55afcb8bed164e5db7b3c8c9f5a4816d.pdf
- https://static.usrfiles.com/ugd/b8c837_40a453eaa689443c9fd4749d3652104d.pdf
- https://static.usrfiles.com/ugd/80c1db_435a2b0daaed403c810713b59a019357.pdf
- https://static.usrfiles.com/ugd/b8c837_d9097c534ec648f8ae044f403ba0f86e.pdf
- https://static.usrfiles.com/ugd/b8c837_0c019b9e74c742288d9546c192187095.pdf
- https://cdn.shopify.com/s/files/1/0432/3583/6059/files/66846413780.pdf
- https://cdn.shopify.com/s/files/1/0428/8312/1319/files/literatura_arcadismo.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 3

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off00005ec0.bin` `882d8eb3438ed0036a38656aa2101b35f5fced66bcaa916d86c92cca23ca97f0`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x5EC0	4848 bytes
`font_01_sfnt_off00006f0f.bin` `77c599727d9605f77ce2a42c0038fd2e55713616d03eb61ac6f55948e217369a`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x6F0F	9928 bytes
`font_02_sfnt_off00008f2a.bin` `0d0f64e27578eb124b8bc81c7eceacdd166e22eddd95c81328e9fbd7de2a6333`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x8F2A	4324 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.