PDF malware analysis — malicious · f03d183cd2cb922f

MALICIOUS

PDF

35.7 KB Created: 2020-09-03 08:41:43 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)

MD5: 9b050cf00fc28d541c3f2c77e8c63a09 SHA-1: 6c92e3dd7339f29e10e4f7bfcb9f0d3b2ac0782b SHA-256: f03d183cd2cb922fbabe6786962c7ffb800a063a7ef6555e0b4c6659d02f97d2

150 Risk Score

Malware Insights

MITRE ATT&CK

T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF contains a large number of embedded links, many of which point to a link farm hosted on cdn.shopify.com. One of these links, https://ttraff.cc/wix?keyword=metal+platform+bed+frame+with+wood+slats, is identified as a malicious redirector. The document body, though heavily obfuscated, contains references to product names and URLs, suggesting a lure to a malicious site. The ML classifier also strongly indicated maliciousness.

Machine Learning

Nyx PDF Classifier malicious score 1.0000

Heuristics 3

PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK

PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM

Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://ttraff.cc/wix?keyword=metal+platform+bed+frame+with+wood+slats
- https://cdn.shopify.com/s/files/1/0430/4050/6009/files/gusubelixebivigawoseko.pdf
- https://cdn.shopify.com/s/files/1/0440/4169/9478/files/zufifupepawisovave.pdf
- https://cdn.shopify.com/s/files/1/0433/5756/9189/files/15488315779.pdf
- https://cdn.shopify.com/s/files/1/0436/9963/4330/files/90029053706.pdf
- https://cdn.shopify.com/s/files/1/0452/8193/5522/files/astrology_books_online.pdf
- https://static.usrfiles.com/ugd/a771bd_90254d1d60bd42c883d3f7a0b351795f.pdf
- https://static.usrfiles.com/ugd/ea2f88_d478311cfeee4fd9b994174d2e2fe257.pdf
- https://static.usrfiles.com/ugd/97634b_6b66adf418fd4d10a0bd8914755d44a4.pdf
- https://static.usrfiles.com/ugd/6908d7_d76fd6af31fa408ca26bf5b5491c39c8.pdf
- https://static.usrfiles.com/ugd/3b7182_ed38d9e739e743a1a6ef88febf5cb22e.pdf
- https://cdn.shopify.com/s/files/1/0433/0687/7080/files/22584543347.pdf
- https://cdn.shopify.com/s/files/1/0432/5965/8398/files/89890682047.pdf
- https://cdn.shopify.com/s/files/1/0432/7230/6852/files/15748137812.pdf
- https://cdn.shopify.com/s/files/1/0437/6097/6021/files/14618129676.pdf
- https://cdn.shopify.com/s/files/1/0438/2697/0786/files/90804746957.pdf
- https://cdn.shopify.com/s/files/1/0431/4444/6118/files/ridefamoliditezagi.pdf
- https://cdn.shopify.com/s/files/1/0428/2449/9367/files/99266071673.pdf
- https://cdn.shopify.com/s/files/1/0431/3278/0695/files/shipwrecked_vbs_song_lyrics.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off00004c65.bin` `f6b6a39d19024a0f1dc9e576e9e3655346138aea58439e187ccb073710b1dbd5`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x4C65	5516 bytes
`font_01_sfnt_off00005f15.bin` `19398d91d32f29180e4b34edcc565074ad6bc76c69f0d8b01c6e3938fe2f04ec`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x5F15	10204 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.