PDF malware analysis — malicious · d6748a7deda8f715

MALICIOUS

PDF

37.8 KB Created: 2020-08-30 11:43:30 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)

MD5: c2eb5a3860806f9353347404cc9d1f87 SHA-1: cce93ec4286801644e4d39231d24d7d8bd0b49ad SHA-256: d6748a7deda8f715ebc0899d81ea9fd154a6aec871d1f3aff144efaf4c4a9126

150 Risk Score

Malware Insights

MITRE ATT&CK

T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF file contains a link to a known malicious redirector, ttraff.cc, disguised as a Singer 247 instruction manual. The file also contains a large number of embedded links, many pointing to Shopify, which is a common tactic for SEO poisoning to improve search engine ranking for malicious content. The ML classifier strongly indicates maliciousness.

Machine Learning

Nyx PDF Classifier malicious score 1.0000

Heuristics 3

PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK

PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM

Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://ttraff.cc/wix?keyword=singer+247+instruction+manual
- https://cdn.shopify.com/s/files/1/0437/5147/3313/files/cuarto_convenio_de_ginebra.pdf
- https://cdn.shopify.com/s/files/1/0429/6006/0567/files/kovepavaramuzew.pdf
- https://cdn.shopify.com/s/files/1/0428/8295/7478/files/packet_tracer_7._3._2._4.pdf
- https://cdn.shopify.com/s/files/1/0449/3508/6248/files/whatsapp_plus_anti_banned.pdf
- https://cdn.shopify.com/s/files/1/0433/7090/5750/files/37503498512.pdf
- https://cdn.shopify.com/s/files/1/0428/8469/4175/files/emathinstruction_geometry_answers.pdf
- https://cdn.shopify.com/s/files/1/0437/8961/5266/files/muxexunironozat.pdf
- https://cdn.shopify.com/s/files/1/0435/1882/0511/files/simile_metaphor_personification_worksheets.pdf
- https://cdn.shopify.com/s/files/1/0437/5543/8234/files/35609682788.pdf
- https://cdn.shopify.com/s/files/1/0429/5720/9753/files/missouri_eviction_notice_template.pdf
- https://cdn.shopify.com/s/files/1/0440/8272/5029/files/rivoraki.pdf
- https://static.usrfiles.com/ugd/739437_4c34d16df53a4dd896cf65bdbd787aaf.pdf
- https://static.usrfiles.com/ugd/97634b_6b836ab935d04be689df81e2a899a94a.pdf
- https://static.usrfiles.com/ugd/b8c837_2d49632ee9294ca1a27a9e31d8779245.pdf
- https://static.usrfiles.com/ugd/e1d12c_cec7479a5c8945138402c6544397194d.pdf
- https://static.usrfiles.com/ugd/e6092c_3a001b1abcc646618b5f583b4cb12980.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 3

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off000047b6.bin` `101f5843655acc9b8b94a2d2d43eccbff3cdd4e4c12e75ca29bd04b6468616e5`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x47B6	5404 bytes
`font_01_sfnt_off000059ff.bin` `a511f1ba8ae2b899862e3c8be987233e08e494a108939fcd53a8fed78f85f367`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x59FF	9568 bytes
`font_02_sfnt_off00007aab.bin` `b50a2106bf82917db0cd3cf88f63c5e8cc3298b343ace5cffc591b35df33d24c`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x7AAB	4324 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.