PDF malware analysis — malicious · ce1cbc58ffbb0a02

MALICIOUS

PDF

46.8 KB Created: 2020-08-31 04:39:22 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)

MD5: bc1c572ba9f1d41eeb4d6f1f7a7f3f16 SHA-1: f84277f448d7386e9a14fd4a3145bf2c0db497fb SHA-256: ce1cbc58ffbb0a02cd64160e35515c110160d1ab1248cec6fb0620fb06c75eea

150 Risk Score

Malware Insights

MITRE ATT&CK

T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF contains a critical heuristic firing for a malicious redirector link, directing users to 'https://ttraff.link/wix?keyword=thor+x+10+million+candlepower+spotlight+battery'. The document body, though heavily obfuscated, also contains this URL and references to product names, suggesting a lure. The presence of a PDF link farm heuristic further indicates malicious intent to distribute links. The ML classifier also strongly flagged this PDF as malicious.

Machine Learning

Nyx PDF Classifier malicious score 1.0000

Heuristics 3

PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK

PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM

Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://ttraff.link/wix?keyword=thor+x+10+million+candlepower+spotlight+battery
- https://cdn.shopify.com/s/files/1/0429/2083/7279/files/vewafawu.pdf
- https://cdn.shopify.com/s/files/1/0438/0341/0589/files/professione_albergatore_allianz.pdf
- https://cdn.shopify.com/s/files/1/0435/3579/4344/files/85067626315.pdf
- https://cdn.shopify.com/s/files/1/0428/8351/4527/files/kimepaxilunug.pdf
- https://static.usrfiles.com/ugd/b8c837_da332fba4c2d416aa22f94bcbf61e122.pdf
- https://static.usrfiles.com/ugd/696b8a_619654b7f8244203bec89d9f6934fc45.pdf
- https://static.usrfiles.com/ugd/45e30f_fbb51650d6114993bb026a65bd33c2da.pdf
- https://static.usrfiles.com/ugd/ab922d_6104c16e39ef48bd93b534f16bde1710.pdf
- https://static.usrfiles.com/ugd/b8c837_f0df0ede68d24257857ef5e4911b38e9.pdf
- https://static.usrfiles.com/ugd/b8c837_cc49fc282ce94bc688b41131689e017e.pdf
- https://static.usrfiles.com/ugd/c1de29_2e5146fafef64196bbbdea040353a23f.pdf
- https://static.usrfiles.com/ugd/b8c837_60ba5be9e81e4bdf9057e0ef88e496fe.pdf
- https://cdn.shopify.com/s/files/1/0432/9419/5870/files/gozuxifufavubat.pdf
- https://cdn.shopify.com/s/files/1/0433/6559/7342/files/37493547688.pdf
- https://cdn.shopify.com/s/files/1/0435/2638/9912/files/26765473077.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 3

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off00006a2a.bin` `a0eb5f260e662aab5ca3a6fb4cea331b1ab214299242d7ec21eae0fa4ddc83c1`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x6A2A	3008 bytes
`font_01_sfnt_off000074db.bin` `1040d7dfacd9dd4d409302cb49472130e6a4c168f189016c640d9044e1a14379`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x74DB	6032 bytes
`font_02_sfnt_off00008947.bin` `eae42e0cd5d52c487e489014f85708aa61b6905b21e53cf53ba64689d1fdaeb5`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x8947	10864 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.