PDF malware analysis — malicious · ffebdf91ec33e186

MALICIOUS

PDF

50.1 KB Created: 2020-08-12 07:02:37 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)

MD5: ba36b316d69117daba4a66fe26fa2e5f SHA-1: 60beb7176fc79f93719e822e8176c4b7ee402c08 SHA-256: ffebdf91ec33e186962e102ba897966cbed289cdffb97d8ff162d570c7e84524

150 Risk Score

Malware Insights

MITRE ATT&CK

T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF contains a large number of embedded links, many pointing to Shopify domains, but one critical link redirects to a known malicious domain (ttraff.cc). This suggests a link farm or SEO poisoning tactic to distribute malicious content. The document body, though heavily obfuscated, contains the URL that triggers the redirection, indicating a lure for users to download or access further malicious content.

Machine Learning

Nyx PDF Classifier malicious score 1.0000

Heuristics 3

PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK

PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM

Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://ttraff.cc/wb?keyword=introductory%20entomology%20pdf
- http://files.johnpusateri.com/uploads/1/3/1/8/131856308/3477226.pdf
- http://files.scituatehighschoolathletics.com/uploads/1/3/0/9/130968906/92100a07c.pdf
- http://files.irchstheatre.org/uploads/1/3/0/8/130814714/7900484.pdf
- https://cdn.shopify.com/s/files/1/0431/2137/7434/files/11237238590.pdf
- https://cdn.shopify.com/s/files/1/0436/8737/9094/files/17445765860.pdf
- https://cdn.shopify.com/s/files/1/0432/8197/3403/files/48051573779.pdf
- https://cdn.shopify.com/s/files/1/0433/9371/2286/files/xaponufopufibega.pdf
- https://cdn.shopify.com/s/files/1/0429/8027/8426/files/85197393814.pdf
- https://cdn.shopify.com/s/files/1/0432/4163/5997/files/68399641086.pdf
- https://cdn.shopify.com/s/files/1/0433/9027/1642/files/93760588509.pdf
- https://cdn.shopify.com/s/files/1/0433/0687/7080/files/16485275060.pdf
- https://cdn.shopify.com/s/files/1/0433/9014/0581/files/network_security_administrator_roles_and_responsibilities.pdf
- https://cdn.shopify.com/s/files/1/0430/9165/6864/files/22_f_here_u.pdf
- https://cdn.shopify.com/s/files/1/0428/8489/0790/files/38335714547.pdf
- https://cdn.shopify.com/s/files/1/0431/3173/2132/files/amazing_grace_chords_d.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 3

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off00006ca9.bin` `323b9f4290e9f4484b68d9439cbecda21ff60a39eff71549467bd80d1a753751`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x6CA9	5124 bytes
`font_01_sfnt_off00007e0c.bin` `14d567b71ed8d32707bde2c141b02c232707f301842abb0b23a4bff41e481773`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x7E0C	11188 bytes
`font_02_sfnt_off0000a43d.bin` `c8a6b387e0fd6dbf6d88c72609f05100afaaf4ad1f0940a9200b880248f86e7a`	pdf-font-stream	PDF embedded font (sfnt) at offset 0xA43D	16692 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.