PDF malware analysis — malicious · b87be2d6a3a584cd

MALICIOUS

PDF

49.1 KB Created: 2020-08-15 04:41:11 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)

MD5: a2e45f045d07c6e591a9c201447e807c SHA-1: 3d16e830175e9fe10d12501d7cf5d8e9ca205639 SHA-256: b87be2d6a3a584cdc104008368b362cd414617d0955d1e0b5d418a20f1dc3efe

150 Risk Score

Malware Insights

MITRE ATT&CK

T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF contains a high number of embedded links, many of which point to Shopify domains hosting other PDFs, suggesting a link farm for SEO manipulation. One critical heuristic identified a link to a known malicious redirector, ttraff.cc, which is used to obscure the final destination. The document body, though partially corrupted, contains text related to 'Atom platformio- ide- terminal python' and the malicious URL, indicating a lure to a potentially malicious site.

Machine Learning

Nyx PDF Classifier malicious score 1.0000

Heuristics 3

PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK

PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM

Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://ttraff.cc/pify?keyword=atom+platformio-+ide-+terminal+python
- http://files.trailertruckintech.com/uploads/1/3/1/4/131406149/65e882412.pdf
- http://files.anniestexasmusings.com/uploads/1/3/0/9/130969461/xekifusudadurijitiso.pdf
- http://rimit.larissaj.com/uploads/1/3/0/8/130813528/pojofodujatazox.pdf
- https://cdn.shopify.com/s/files/1/0429/7555/9829/files/sazabababof.pdf
- https://cdn.shopify.com/s/files/1/0431/1298/8821/files/mowozutonulip.pdf
- https://cdn.shopify.com/s/files/1/0435/1311/8872/files/magonidunovajosigapeji.pdf
- https://cdn.shopify.com/s/files/1/0431/9353/2573/files/91613587823.pdf
- https://cdn.shopify.com/s/files/1/0432/6939/0500/files/78501889109.pdf
- https://cdn.shopify.com/s/files/1/0450/1949/6606/files/lg_tool_crack.pdf
- https://cdn.shopify.com/s/files/1/0435/1908/2651/files/12819772937.pdf
- https://cdn.shopify.com/s/files/1/0433/9888/9621/files/51529205399.pdf
- https://cdn.shopify.com/s/files/1/0431/5657/0266/files/34103593247.pdf
- https://cdn.shopify.com/s/files/1/0430/9689/9733/files/68946052901.pdf
- https://cdn.shopify.com/s/files/1/0428/7440/5023/files/sarov.pdf
- https://cdn.shopify.com/s/files/1/0431/8488/1825/files/vocabulary_words_bangla_to_english.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 3

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off00006748.bin` `90cf7c8640a8e779c566f403f5bd753fe9a8d06a81b0243c1ed56f8bf4353478`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x6748	5228 bytes
`font_01_sfnt_off000078e6.bin` `2450be4d13722cbcf4198b65f35aa75ce0251ec97112d393d29ea38759838162`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x78E6	7220 bytes
`font_02_sfnt_off00008c8f.bin` `237ee8f9bc6b6163e041d84d75c1f03be036adfad503df3c74fbe2d6e35096d7`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x8C8F	13148 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.