PDF malware analysis — malicious · bbf6b2b70a7fc2a2

MALICIOUS

PDF

41.3 KB Created: 2020-08-31 19:25:59 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)

MD5: 55021fa7fd0e8292eb656fc84cdbfef0 SHA-1: bece233c08fc1bde59212e297159358836951464 SHA-256: bbf6b2b70a7fc2a23bacfd0d0f46156adc838cd70635bb234dcc83f52d229ff2

120 Risk Score

Malware Insights

MITRE ATT&CK

T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF file contains numerous embedded links, a common tactic for SEO spam and phishing. One critical heuristic identified a link to a known malicious redirector at 'https://ttraff.cc/wix?keyword=arduino+nano+drivers'. The document body, though heavily obfuscated, contains references to 'Arduino nano drivers', suggesting a lure to trick users into clicking the malicious link. The presence of a large number of external PDF links further supports the SEO spam/phishing classification.

Heuristics 3

PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK

PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM

Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://ttraff.cc/wix?keyword=arduino+nano+drivers
- https://static.usrfiles.com/ugd/b8c837_f387e4aade1d4fa9b16ff9bab8f379b8.pdf
- https://static.usrfiles.com/ugd/e2f197_20e6ef354b2943e4996357ad81f55988.pdf
- https://static.usrfiles.com/ugd/c83fdb_f3d1de285ed94f778d9e78edaf45f7cb.pdf
- https://cdn.shopify.com/s/files/1/0435/8874/7423/files/84743177267.pdf
- https://cdn.shopify.com/s/files/1/0432/7515/7670/files/83613280804.pdf
- https://cdn.shopify.com/s/files/1/0430/0098/7801/files/63056206176.pdf
- https://cdn.shopify.com/s/files/1/0431/7285/5957/files/27476774775.pdf
- https://cdn.shopify.com/s/files/1/0459/9100/2269/files/40658110416.pdf
- https://cdn.shopify.com/s/files/1/0432/3957/1616/files/nesulo.pdf
- https://cdn.shopify.com/s/files/1/0435/3818/6392/files/54053957368.pdf
- https://cdn.shopify.com/s/files/1/0431/1498/7682/files/tekubugezirevubilojavavo.pdf
- https://cdn.shopify.com/s/files/1/0450/2398/5828/files/autoestima_alta.pdf
- https://cdn.shopify.com/s/files/1/0428/5353/1807/files/jazosoroguwoxiz.pdf
- https://cdn.shopify.com/s/files/1/0431/6879/2733/files/abrsm_violin_books.pdf
- https://cdn.shopify.com/s/files/1/0434/4525/6352/files/gokirogot.pdf
- https://cdn.shopify.com/s/files/1/0440/1908/9566/files/41894064213.pdf
- https://cdn.shopify.com/s/files/1/0431/7616/5536/files/73624498001.pdf
- https://cdn.shopify.com/s/files/1/0429/5675/1002/files/ark_ios_taming_guide.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off0000632d.bin` `f6f520a1d5b355ed9d4f29d64af3d057833f06536ae22cb969ac4cdaf4c75529`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x632D	4836 bytes
`font_01_sfnt_off000073b1.bin` `82e986283d12b59ba2ef9517199427fbbcdd9994e82afe0bd8779ccda249246a`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x73B1	10852 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.