PDF malware analysis — malicious · b8891c8ef03b8d94

MALICIOUS

PDF

61.6 KB Created: 2020-08-31 09:52:47 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)

MD5: a171120a80a6bfc55694a540b4d19347 SHA-1: d3ec61ff1080f1b44f081cf3dafb00bd006f2ad4 SHA-256: b8891c8ef03b8d94ef7485413baff8e4b9c8767d7a8786face0f1d0307fb0cfd

150 Risk Score

Malware Insights

MITRE ATT&CK

T1566.002 Spearphishing Attachment T1059.001 PowerShell T1204.002 Malicious Link

The PDF contains a high number of embedded links, many pointing to Shopify domains, but one critical link directs to a known malicious redirector. The ML classifier also strongly indicated maliciousness. The primary attack vector appears to be a link farm designed to redirect users to malicious infrastructure, as evidenced by the PDF_MALICIOUS_REDIRECTOR_LINK heuristic and the presence of the ttraff.cc URL.

Machine Learning

Nyx PDF Classifier malicious score 1.0000

Heuristics 3

PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK

PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM

Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://ttraff.cc/wix?keyword=dragon+ball+bojack
- https://cdn.shopify.com/s/files/1/0431/1485/6610/files/karni_padi_badmashi_ringtone.pdf
- https://cdn.shopify.com/s/files/1/0434/1478/2104/files/difference_between_phoneme_and_allophone.pdf
- https://cdn.shopify.com/s/files/1/0433/0097/8853/files/wotov.pdf
- https://cdn.shopify.com/s/files/1/0431/0456/7450/files/bullying_definition.pdf
- https://cdn.shopify.com/s/files/1/0432/5752/8480/files/81081194569.pdf
- https://static.usrfiles.com/ugd/b8c837_026c92d242b6410b91409be371325ea4.pdf
- https://static.usrfiles.com/ugd/850f07_e05ae706f1b0464f9f706d8e676eeb1e.pdf
- https://static.usrfiles.com/ugd/9219f8_b595ec74440c43c1aec56d1b63506d77.pdf
- https://static.usrfiles.com/ugd/b8c837_27adc5cc3eed4076be5d6a00517034c0.pdf
- https://static.usrfiles.com/ugd/7f16bd_7220bbd51bfd41a69ad89ab177c84c86.pdf
- https://static.usrfiles.com/ugd/111c46_4144896e95114bdc85dafb4c222b27a6.pdf
- https://static.usrfiles.com/ugd/02beb7_7a802cdb624a4c699d894957d01351aa.pdf
- https://static.usrfiles.com/ugd/d5cf39_f655783ef4b34324a8e3024597ffde9b.pdf
- https://static.usrfiles.com/ugd/4d6844_f78384c085c44e9db642ac5ef71d7f8c.pdf
- https://static.usrfiles.com/ugd/b8c837_e324195a8bcd4261ada8195db2fe5441.pdf
- https://static.usrfiles.com/ugd/de60da_99f791ae6b0842c19c7a894afc82332d.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 3

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off0000a4c5.bin` `cc53c8ab912de46bff648dd74fab0e135a9b79fa62557f35842fe06877a96d69`	pdf-font-stream	PDF embedded font (sfnt) at offset 0xA4C5	4512 bytes
`font_01_sfnt_off0000b4a3.bin` `d6b79fcf95190234af93644bcdec7d721994d9216ccf683805205ff759d7bff7`	pdf-font-stream	PDF embedded font (sfnt) at offset 0xB4A3	5068 bytes
`font_02_sfnt_off0000c5f9.bin` `6d17a9b3a34d8355a558726b1e2b9d187ef2bb923956e841873cc3cb8a92e5ea`	pdf-font-stream	PDF embedded font (sfnt) at offset 0xC5F9	10192 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.