PDF malware analysis — malicious · 46c077a08de40aa5

MALICIOUS

PDF

44.8 KB Created: 2020-08-15 21:57:35 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)

MD5: b5e32317fd1d0f879f14a83e8064da0e SHA-1: 930a2319a1c095b15621964f8f0948ac9af43265 SHA-256: 46c077a08de40aa599c904b6af57a7340b3f7994a6ae2e378caf1a9570a921b0

150 Risk Score

Malware Insights

MITRE ATT&CK

T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF contains a high number of embedded links, many pointing to Shopify domains, but one critical link directs to a known malicious redirector at 'ttraff.cc'. This suggests a link farm or SEO poisoning tactic to distribute malicious content. The document body, though heavily obfuscated, contains the URL 'https://ttraff.cc/wb?keyword=how%20to%20draw%20a%20caricature%20pdf', indicating an attempt to lure users with a seemingly relevant topic. The ML classifier also strongly flagged this PDF as malicious.

Machine Learning

Nyx PDF Classifier malicious score 1.0000

Heuristics 3

PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK

PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM

Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://ttraff.cc/wb?keyword=how%20to%20draw%20a%20caricature%20pdf
- http://files.jamesfarris.net/uploads/1/3/0/8/130814195/rovulepipu.pdf
- https://cdn.shopify.com/s/files/1/0434/3929/2577/files/jojamakefopenosawinova.pdf
- https://cdn.shopify.com/s/files/1/0428/5965/9420/files/makerere_university_courses.pdf
- https://cdn.shopify.com/s/files/1/0441/0654/7352/files/autodesk_123d_design_tutorial.pdf
- https://cdn.shopify.com/s/files/1/0437/5619/1893/files/gewunidefifij.pdf
- https://cdn.shopify.com/s/files/1/0433/8178/4726/files/gimuwigofibukav.pdf
- https://cdn.shopify.com/s/files/1/0441/2299/6888/files/84719613909.pdf
- https://cdn.shopify.com/s/files/1/0434/2402/2677/files/zosabusebefunolepowawe.pdf
- https://cdn.shopify.com/s/files/1/0434/4355/2416/files/80967611492.pdf
- https://cdn.shopify.com/s/files/1/0437/0418/9096/files/rugupekot.pdf
- https://cdn.shopify.com/s/files/1/0437/5127/6696/files/zugikamekuzemunezab.pdf
- https://cdn.shopify.com/s/files/1/0428/4071/9516/files/12328550991.pdf
- https://cdn.shopify.com/s/files/1/0438/3195/1517/files/tremble_chords_c.pdf
- https://cdn.shopify.com/s/files/1/0429/9892/3427/files/99124884711.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/
- https://cdn.shopify.com/s/files/1/0428/

Extracted artifacts 3

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off0000649f.bin` `5d54f58377779d13bcc03f41421f3a3a7f93f3a02d61a16d71cf89f82c9b64f3`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x649F	4768 bytes
`font_01_sfnt_off000074f8.bin` `018e5fe34eb93b48e95b0189a33f4596899036360e641ab2d99c7b2da0966e97`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x74F8	10240 bytes
`font_02_sfnt_off000097b4.bin` `b50a2106bf82917db0cd3cf88f63c5e8cc3298b343ace5cffc591b35df33d24c`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x97B4	4324 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.