PDF malware analysis — malicious · 90ab0e5cba2cdfe5

MALICIOUS

PDF

46.3 KB Created: 2020-08-08 23:04:08 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)

MD5: 9f6c338c2f27a78cc268471b2820f9cf SHA-1: 3444ccba5281f5061da7a07bc4941fafd85cc5d7 SHA-256: 90ab0e5cba2cdfe58d0380f67de37fb02b8427b917215932d5743581c9c4ea69

150 Risk Score

Malware Insights

MITRE ATT&CK

T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF contains a high number of embedded links, many pointing to Shopify domains, but one critical link directs to a known malicious redirector at 'ttraff.cc'. This suggests a phishing or scam attempt disguised as a technical document. The ML classifier also strongly flagged this PDF as malicious. No scripts were extracted from this sample.

Machine Learning

Nyx PDF Classifier malicious score 1.0000

Heuristics 3

PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK

PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM

Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://ttraff.cc/pify?keyword=stepper+motor+driver+circuit+pdf
- http://fatoj.peakperformancefitnesstx.com/uploads/1/3/1/6/131606069/ec5d5cb36e980a0.pdf
- http://files.crccoutreach.org/uploads/1/3/0/7/130739463/2e159e3.pdf
- http://files.sabatinomangini.com/uploads/1/3/1/4/131438180/87fff37fef0ba.pdf
- https://cdn.shopify.com/s/files/1/0435/2373/5720/files/54811894233.pdf
- https://cdn.shopify.com/s/files/1/0434/5685/6230/files/attendance_sheet.pdf
- https://cdn.shopify.com/s/files/1/0432/2518/6466/files/xivoxutifud.pdf
- https://cdn.shopify.com/s/files/1/0427/4785/5004/files/paxiwepusaxubowekuvuzize.pdf
- https://cdn.shopify.com/s/files/1/0430/2402/3715/files/20064402947.pdf
- https://cdn.shopify.com/s/files/1/0433/5593/0783/files/foredozudemibavomunaxu.pdf
- https://cdn.shopify.com/s/files/1/0428/1312/8867/files/womabepu.pdf
- https://cdn.shopify.com/s/files/1/0432/9422/8630/files/nibagijosejijoz.pdf
- https://cdn.shopify.com/s/files/1/0434/9784/8996/files/kepanuguvamajas.pdf
- https://cdn.shopify.com/s/files/1/0436/5330/0377/files/duvijixakofilowap.pdf
- https://cdn.shopify.com/s/files/1/0430/0174/1463/files/95629687675.pdf
- https://cdn.shopify.com/s/files/1/0434/8638/0189/files/29896060497.pdf
- https://cdn.shopify.com/s/files/1/0431/0653/3527/files/61626608594.pdf
- https://cdn.shopify.com/s/files/1/0431/4379/0760/files/dixetaxo.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 3

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off00006ba0.bin` `e5bfbea2ec7099ec7c0c799224befb74b2b94c684c0210d8743c63dfc1685b5b`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x6BA0	4820 bytes
`font_01_sfnt_off00007c12.bin` `9385624b78e06d20b9b87aa2d82b77213537e045533af4d61130ea3e3dc93fa2`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x7C12	9932 bytes
`font_02_sfnt_off00009e13.bin` `d1f4a20f0e35a0564be54678b929bb8c711862c507f070c2b9a6abea8daf4378`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x9E13	4324 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.