PDF malware analysis — malicious · 3b599b07eb67de35

MALICIOUS

PDF

65.8 KB Created: 2020-08-31 21:30:49 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)

MD5: b26e3ee1526b336c64251838434b37cf SHA-1: c948977613877f90d9d59954754a68c62cef4b4c SHA-256: 3b599b07eb67de3529f9cb9bc672c368285f1dd7f8dfb9e797deb01cb34fa358

150 Risk Score

Malware Insights

MITRE ATT&CK

T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF was flagged for containing a malicious redirector link and a large number of embedded links, suggesting a link farm or SEO abuse tactic. The primary malicious URL, https://ttraff.com/wix?keyword=sholawat+burdah+imam+busyiri, is identified as a redirector. While many other links point to benign Shopify domains, the presence of the malicious redirector and the sheer volume of links indicate a deceptive or malicious intent, likely to drive traffic to harmful sites or manipulate search engine results.

Machine Learning

Nyx PDF Classifier malicious score 1.0000

Heuristics 3

PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK

PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM

Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://ttraff.com/wix?keyword=sholawat+burdah+imam+busyiri
- https://cdn.shopify.com/s/files/1/0427/7587/1654/files/pubupabomajagizejub.pdf
- https://cdn.shopify.com/s/files/1/0438/9348/9832/files/86350309693.pdf
- https://cdn.shopify.com/s/files/1/0429/2398/3001/files/24333011113.pdf
- https://cdn.shopify.com/s/files/1/0437/2925/6602/files/new_movie_song_2019_bestwap.pdf
- https://static.usrfiles.com/ugd/2ca09c_b5bca3a7a55644ffa47c6888b54ef224.pdf
- https://static.usrfiles.com/ugd/ea78e0_20b62ba9070841019780137a17fd8ff2.pdf
- https://static.usrfiles.com/ugd/d55797_5faec4700ad349a69a13a639d955e70f.pdf
- https://static.usrfiles.com/ugd/02beb7_06ffa9d872eb4448a71d648263f97112.pdf
- https://static.usrfiles.com/ugd/d4a9d6_775b87ab703b4bffb5fd8cab9f702d70.pdf
- https://cdn.shopify.com/s/files/1/0429/8552/1311/files/michael_vey_book_2_audiobook.pdf
- https://cdn.shopify.com/s/files/1/0431/4641/2188/files/lazad.pdf
- https://cdn.shopify.com/s/files/1/0431/5768/4375/files/oracle_client_for_mac.pdf
- https://cdn.shopify.com/s/files/1/0428/9835/8432/files/99237037604.pdf
- https://cdn.shopify.com/s/files/1/0431/5663/5812/files/85876199620.pdf
- https://cdn.shopify.com/s/files/1/0434/0105/2310/files/chicken_invaders_6_pc_game.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 3

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`stream_005_off0000cc78.bin` `1f18411d4188a460a7820ac5a2e9165069e41d6013de858e6a0582cefcacf335`	decompressed-pdf-stream	PDF FlateDecoded stream at offset 0xCC78	25196 bytes
`font_00_sfnt_off00009603.bin` `5a700d5fbaf3728b38a7ddaa6e63d5a91390256a7303e2261868b701f9bdc6b6`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x9603	5504 bytes
`font_01_sfnt_off0000a89c.bin` `aeac07dda536b7597be5d5052eabce49fdeba86fe72b144695ee11cf668f1614`	pdf-font-stream	PDF embedded font (sfnt) at offset 0xA89C	10852 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.