PDF malware analysis — malicious · de03530904126679

MALICIOUS

PDF

53.5 KB Created: 2020-09-08 04:24:45 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)

MD5: c17e90641a8f0695865876716e241fb6 SHA-1: 424cb14da4ed441985c9293d70ba8eda7997743a SHA-256: de03530904126679ba142f25a5db8030722626b7bc60dbf337ed64a4871a54d1

150 Risk Score

Malware Insights

MITRE ATT&CK

T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF contains a critical heuristic firing for a malicious redirector link, specifically pointing to 'https://ttraff.link/wix?keyword=pin+photodetector+pdf'. This indicates the document's primary purpose is to redirect users to malicious infrastructure. The presence of a large number of embedded links, many pointing to Shopify, suggests a link farm or SEO poisoning tactic to obscure the malicious redirector. No scripts were extracted, but the PDF structure and embedded links strongly suggest a social engineering lure.

Machine Learning

Nyx PDF Classifier malicious score 1.0000

Heuristics 3

PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK

PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM

Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://ttraff.link/wix?keyword=pin+photodetector+pdf
- https://cdn.shopify.com/s/files/1/0433/8073/6151/files/65530546191.pdf
- https://cdn.shopify.com/s/files/1/0436/8505/2566/files/gateway_lt4010u_specs.pdf
- https://cdn.shopify.com/s/files/1/0437/3646/5559/files/bartleby_the_scrivener_download.pdf
- https://cdn.shopify.com/s/files/1/0431/7921/2959/files/vibabafedojedopu.pdf
- https://cdn.shopify.com/s/files/1/0437/8358/5953/files/xadumupudu.pdf
- https://cdn.shopify.com/s/files/1/0433/5504/6037/files/wipafexagolamemitepiniju.pdf
- https://cdn.shopify.com/s/files/1/0433/0595/9588/files/camara_icsee_manual.pdf
- https://cdn.shopify.com/s/files/1/0431/5506/2948/files/69387039876.pdf
- https://cdn.shopify.com/s/files/1/0457/6237/9940/files/45198018439.pdf
- https://cdn.shopify.com/s/files/1/0462/5678/3511/files/67638932901.pdf
- https://cdn.shopify.com/s/files/1/0430/9866/9220/files/rekilizemakare.pdf
- https://cdn.shopify.com/s/files/1/0428/0696/8483/files/9371389248.pdf
- https://cdn.shopify.com/s/files/1/0434/7432/1560/files/20869909316.pdf
- https://cdn.shopify.com/s/files/1/0462/1556/1370/files/barrons_new_sat_diagnostic_test_answers.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 3

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off00007e3c.bin` `e4f2e71c0018bd07ee90587da29fd3c3aed71db42ca12aa1b19214d22a9674e6`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x7E3C	4824 bytes
`font_01_sfnt_off00008ea2.bin` `b73badd7b1dde7f59409d9f6789966534cfc3021f3ebb7104b4d1641ac8d88eb`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x8EA2	11292 bytes
`font_02_sfnt_off0000b480.bin` `0da5b551d84a453f500a6ba8ca1adfd4400b36dae0f103b74fb712e1a4f46a36`	pdf-font-stream	PDF embedded font (sfnt) at offset 0xB480	16064 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.