PDF malware analysis — malicious · e10678655e5ee14d

MALICIOUS

PDF

41.1 KB Created: 2020-09-03 10:18:57 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)

MD5: b86a0bc8291abd82fd73c40063b10a44 SHA-1: da83ac3920bc7b7cfdbe174af51dbda004be5022 SHA-256: e10678655e5ee14d901e1a2bc85c7fb9494640bfce5df7fafd57c55c17618920

150 Risk Score

Malware Insights

MITRE ATT&CK

T1566.002 Spearphishing Attachment T1059.001 PowerShell T1204.002 Malicious Link

The PDF contains a critical heuristic firing for a malicious redirector link, pointing to 'https://ttraff.me/wix?keyword=number+words+worksheet+1-+1000'. This URL is likely used to redirect users to a malicious site or download further malware. The document body, though heavily obfuscated, also contains this URL and numerous other links hosted on Shopify, suggesting a link farm or SEO poisoning tactic to distribute the malicious PDF. The ML classifier also strongly flagged this PDF as malicious.

Machine Learning

Nyx PDF Classifier malicious score 1.0000

Heuristics 3

PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK

PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM

Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://ttraff.me/wix?keyword=number+words+worksheet+1-+1000
- https://cdn.shopify.com/s/files/1/0431/2589/9421/files/12810350803.pdf
- https://cdn.shopify.com/s/files/1/0454/2647/5164/files/31854829762.pdf
- https://cdn.shopify.com/s/files/1/0431/3051/9716/files/dunuxoxafuvi.pdf
- https://cdn.shopify.com/s/files/1/0431/1416/8480/files/ruropuzonimapifum.pdf
- https://cdn.shopify.com/s/files/1/0434/6649/0006/files/23706946139.pdf
- https://cdn.shopify.com/s/files/1/0447/9965/6087/files/boss_gt_100_manual_espaol.pdf
- https://cdn.shopify.com/s/files/1/0434/2664/4125/files/18864859033.pdf
- https://cdn.shopify.com/s/files/1/0434/2392/4376/files/scheduled_caste_certificate_form_punjab.pdf
- https://cdn.shopify.com/s/files/1/0433/9469/5324/files/the_a_team_chords.pdf
- https://cdn.shopify.com/s/files/1/0439/0171/4587/files/avent_breast_pump_manual_boots.pdf
- https://cdn.shopify.com/s/files/1/0436/6771/8309/files/fofakimegajawu.pdf
- https://static.usrfiles.com/ugd/73cb9e_357f2fcaf6044cd2ab8cae704778c60d.pdf
- https://static.usrfiles.com/ugd/97aff7_bd4b4166f27a440db5b115b6144e528b.pdf
- https://static.usrfiles.com/ugd/89064d_1d42a66ba8514bc09823eb1d1d95f780.pdf
- https://static.usrfiles.com/ugd/a2d007_7bc532cd758d448f92c80e03a952d208.pdf
- https://static.usrfiles.com/ugd/409ca8_373e53c438ce4b1c9db6a9dd9af4df91.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off00006177.bin` `9bd764d8544a67aff825e77baaa236c564427077b6ba630ce0205f4305ae10f4`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x6177	5312 bytes
`font_01_sfnt_off00007380.bin` `692872fe4d0cb127c9c496c3f3b12628c84412b18a7e0875520f82b4c55ee319`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x7380	10636 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.