PDF malware analysis — malicious · 54106fe07d7b9cf1

MALICIOUS

PDF

47.2 KB Created: 2020-09-05 19:44:46 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)

MD5: aabaaaa2cdd19ff8cf6652b50a648f66 SHA-1: 906a368014a78d50c4ada8542a0e5c3fb2d2ca5b SHA-256: 54106fe07d7b9cf17fa6f7787ecea2c95060d5ec8843ea33e681eca31eb96264

150 Risk Score

Malware Insights

MITRE ATT&CK

T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF file contains numerous embedded links, a common tactic for SEO poisoning and redirecting users to malicious sites. One such link, 'https://ttraff.me/wix?keyword=autodesk+inventor+2015+manual+pdf', is flagged as a malicious redirector. The document body, though heavily obfuscated, contains references to the target URL and appears to be designed to mimic a software manual to entice clicks.

Machine Learning

Nyx PDF Classifier malicious score 1.0000

Heuristics 3

PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK

PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM

Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://ttraff.me/wix?keyword=autodesk+inventor+2015+manual+pdf
- https://cdn.shopify.com/s/files/1/0434/6730/9206/files/sofakupatepabo.pdf
- https://cdn.shopify.com/s/files/1/0429/4567/5420/files/12087913825.pdf
- https://cdn.shopify.com/s/files/1/0436/8164/4697/files/reference_letter_for_rental_template.pdf
- https://cdn.shopify.com/s/files/1/0436/4166/7734/files/bogeyman_crossword_answers.pdf
- https://static.usrfiles.com/ugd/d6b5da_5ad3a9181d8343deab3be589d846671c.pdf
- https://static.usrfiles.com/ugd/c0fca2_74f95191227a4386979ff49868e6d590.pdf
- https://static.usrfiles.com/ugd/5a4c69_7cfcf143984d40188f7c23684f771867.pdf
- https://cdn.shopify.com/s/files/1/0430/1655/2605/files/3906516432.pdf
- https://cdn.shopify.com/s/files/1/0431/2537/5130/files/net_framework_4._7_1_developer_pack.pdf
- https://cdn.shopify.com/s/files/1/0429/3001/2316/files/vajakuzolowub.pdf
- https://cdn.shopify.com/s/files/1/0437/4921/2311/files/25383866069.pdf
- https://cdn.shopify.com/s/files/1/0431/7102/0960/files/vogue_magazine_covers_2019.pdf
- https://cdn.shopify.com/s/files/1/0429/9282/8579/files/one_piece_bounty_rush_apk_mod_2019.pdf
- https://cdn.shopify.com/s/files/1/0439/2943/6315/files/sokesajadarumavotipap.pdf
- https://cdn.shopify.com/s/files/1/0437/7378/8321/files/92570512031.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 3

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off000063e3.bin` `c2312f9d33a5d797d283fd9e96fd5d63c4ed7bd4ffebc89e3df1323b0e89083c`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x63E3	5588 bytes
`font_01_sfnt_off00007770.bin` `ad87ac59d82982f9d2c765c260661ac6a17cc5765958275954e3cb0d639b01e2`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x7770	5752 bytes
`font_02_sfnt_off00008afa.bin` `41a006594f68ceec0ce60de309cd90664553e011072760f2ba4f6b6ae48461a8`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x8AFA	10876 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.