PDF malware analysis — malicious · f3778d58d5a7d736

MALICIOUS

PDF

36.0 KB Created: 2020-09-09 02:05:18 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)

MD5: 97682b10081577023cdb43f6d219e8c5 SHA-1: 5704d51ca1413105b8393a87d928a9973b4c07c5 SHA-256: f3778d58d5a7d736e0af40ffccca0d881935d542dbdbcc04351cf80a7f23f5ee

150 Risk Score

Malware Insights

MITRE ATT&CK

T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF file contains a critical heuristic firing for a malicious redirector link, directing users to 'https://ttraff.me/wix?keyword=new+memes+in+tamil'. The document body also contains this URL, suggesting a social engineering lure to entice users to click the link. The ML classifier also strongly flagged this PDF as malicious.

Machine Learning

Nyx PDF Classifier malicious score 1.0000

Heuristics 3

PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK

PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM

Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://ttraff.me/wix?keyword=new+memes+in+tamil
- https://static.usrfiles.com/ugd/3b0c81_ec73bd2c925744daa59cf79e56279094.pdf
- https://static.usrfiles.com/ugd/0fdb6d_7ce83ee1e4a44cf7aca519f4aa900985.pdf
- https://static.usrfiles.com/ugd/b8c837_c2931eb0f4b647fc8cead60f5e2cafda.pdf
- https://static.usrfiles.com/ugd/0a0016_03b7efddc4d04321aafb3d23fa934039.pdf
- https://static.usrfiles.com/ugd/3e9e83_938e054f34b2413ca22d79d19c536710.pdf
- https://static.usrfiles.com/ugd/d78803_b4e59b088f4f4bc28d8b193ca0dbf22b.pdf
- https://static.usrfiles.com/ugd/f8de3e_32fcce11032f4b8e9f5baa530c1901ff.pdf
- https://static.usrfiles.com/ugd/120f26_9d4570f4b46040789766da6625a76d07.pdf
- https://cdn.shopify.com/s/files/1/0428/9236/1887/files/when_we_were_young_saxophone_sheet_music.pdf
- https://cdn.shopify.com/s/files/1/0434/9739/0244/files/jetakuveneresogurezodup.pdf
- https://cdn.shopify.com/s/files/1/0437/4803/2663/files/independent_sales_contractor_agreement.pdf
- https://cdn.shopify.com/s/files/1/0440/1725/4558/files/programa_para_unir_portable.pdf
- https://cdn.shopify.com/s/files/1/0437/2155/6117/files/35927058597.pdf
- https://cdn.shopify.com/s/files/1/0431/0876/1764/files/white_rotary_sewing_machine_manual.pdf
- https://cdn.shopify.com/s/files/1/0461/7099/6889/files/75290066346.pdf
- https://cdn.shopify.com/s/files/1/0432/3459/0878/files/oxfordshire_stroke_classification.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 3

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off0000472e.bin` `14c471de69113f3140f1d3fb5f49beb59f8d77556495ad6c70d224b42cb37f0c`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x472E	4796 bytes
`font_01_sfnt_off00005776.bin` `afbf364675f99997ef1f1d39c548b90771c3d8c5861bce11fdc6f870993fa8c3`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x5776	2424 bytes
`font_02_sfnt_off000060fa.bin` `f208083409419db66a90f157525c2859fb09a3290c867cdfa45cb4c9d73384b4`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x60FA	9948 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.