PDF malware analysis — malicious · dd84e38a5c2a1a21

MALICIOUS

PDF

48.5 KB Created: 2020-08-31 21:13:50 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)

MD5: 04bfb82f76ffa57bba1d39e8ce0af0be SHA-1: 63d12f27fa2ba98ce5ae850cdf61c317add2b469 SHA-256: dd84e38a5c2a1a21275421a88adcc1344920d5dcb2455bceb6450669bd118adc

150 Risk Score

Malware Insights

MITRE ATT&CK

T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF contains multiple embedded links, with a critical heuristic firing indicating a redirector link to 'https://ttraff.link/wix?keyword=fgd4536+pdf+datasheet'. Another heuristic identified a PDF link farm, suggesting a broader SEO-based distribution tactic. The ML classifier strongly flagged this PDF as malicious. The document body, though heavily obfuscated, contains the suspicious URL and references to a PDF datasheet, reinforcing the lure.

Machine Learning

Nyx PDF Classifier malicious score 1.0000

Heuristics 3

PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK

PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM

Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://ttraff.link/wix?keyword=fgd4536+pdf+datasheet
- https://cdn.shopify.com/s/files/1/0436/4396/1504/files/topographic_anatomy_of_upper_limb.pdf
- https://cdn.shopify.com/s/files/1/0437/9911/7986/files/30879241281.pdf
- https://cdn.shopify.com/s/files/1/0433/0071/6694/files/gafopu.pdf
- https://cdn.shopify.com/s/files/1/0432/6624/4766/files/active_and_passive_voice_quiz_with_answers.pdf
- https://cdn.shopify.com/s/files/1/0434/8893/6102/files/71789321250.pdf
- https://cdn.shopify.com/s/files/1/0432/2879/0946/files/gajemurowaparifuxekej.pdf
- https://static.usrfiles.com/ugd/23e9be_a2186e1e30fa4091a4a8f3e7361e937c.pdf
- https://static.usrfiles.com/ugd/eaf48f_5d0acf37087248a595248a3e7aa0d348.pdf
- https://static.usrfiles.com/ugd/850f07_2589fbebd7bf4810b56dc2cb3a63d854.pdf
- https://static.usrfiles.com/ugd/b8c837_81b87fe516dd48da9ca8c03f5954dd05.pdf
- https://static.usrfiles.com/ugd/2ca09c_5f33e1aedfd94cc2a52b4e24c92fe791.pdf
- https://static.usrfiles.com/ugd/e3834b_7bfa8a91e56a46f18454d9bfa3847a4e.pdf
- https://static.usrfiles.com/ugd/b8c837_928d4ae96bb3437abc9af4af673dde39.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 4

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off000052b2.bin` `fb8efc21509387da72aee1183c6c552682b6c47c129daa1bb46998a8edbf1702`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x52B2	2020 bytes
`font_01_sfnt_off00005c2a.bin` `f1271bda17e80a3bceefdfd3edc7d0f7bf828a8b1a1e2894fde4420e79e39959`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x5C2A	5660 bytes
`font_02_sfnt_off00006f75.bin` `03f79918bfd571b7f7f3da04d550f347e7e8d488d248ffafd482d8f44497c754`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x6F75	8268 bytes
`font_03_sfnt_off0000867a.bin` `8347504e7e329531f26f1d47ca3dc3f65f3fc96553ff8effaf4d0dbc51b1b587`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x867A	15044 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.