PDF malware analysis — malicious · 19c41d6a275197e3

MALICIOUS

PDF

45.3 KB Created: 2020-08-29 20:18:17 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)

MD5: 0592beb608d0f8f6ef7c6c76378d2bd9 SHA-1: b55f275d41d53a7f726d0bcceec52d6f251da67b SHA-256: 19c41d6a275197e388c2e66c9a1a704cb4d0a85971613d7f03985e04176eaf6f

150 Risk Score

Malware Insights

MITRE ATT&CK

T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF contains a large number of embedded links, many of which point to a link farm designed to redirect users. One of the primary URLs identified is a known malicious redirector. The ML classifier also strongly indicated maliciousness. The document body contains garbled text but includes the malicious URL.

Machine Learning

Nyx PDF Classifier malicious score 1.0000

Heuristics 3

PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK

PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM

Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://ttraff.cc/wix?keyword=charnela+dorsolumbar+pdf
- https://static.usrfiles.com/ugd/b8c837_1e8dad06ab114994a11c46421c81dde1.pdf
- https://static.usrfiles.com/ugd/a76634_45ae6fe0b3c84b149fa4388097e9ba66.pdf
- https://static.usrfiles.com/ugd/b8c837_2b4af1d3e5da46b993c3cdf2095c5294.pdf
- https://static.usrfiles.com/ugd/b8c837_4653aad5158948bca635b0a5e4627b5e.pdf
- https://static.usrfiles.com/ugd/b8c837_9589c71ba4a94a61961b9f4a1185791f.pdf
- https://static.usrfiles.com/ugd/b8c837_de3e21a752474a3c8c8b52e918a48241.pdf
- https://static.usrfiles.com/ugd/b8c837_c2bea7a2424b4e5a95fd7814cc3b2ccd.pdf
- https://static.usrfiles.com/ugd/b8c837_04eef45f742f4f87acb1d72b3f3c0026.pdf
- https://static.usrfiles.com/ugd/b8c837_92285239dda64af3bd69be43a5aa0015.pdf
- https://static.usrfiles.com/ugd/b8c837_5fbe6fcce8a2413390f207758b115997.pdf
- https://cdn.shopify.com/s/files/1/0434/8015/4269/files/zitufegafajogenolopixo.pdf
- https://cdn.shopify.com/s/files/1/0433/0615/6190/files/contract_summary_template_sample.pdf
- https://static.usrfiles.com/ugd/b8c837_9f2ddb608771465eb769970733923c65.pdf
- https://static.usrfiles.com/ugd/c7ef1a_ffbd256fa37141b5bd4effa13682c776.pdf
- https://static.usrfiles.com/ugd/b8c837_2514bf244c0642bd965e8c4b80d22643.pdf
- https://static.usrfiles.com/ugd/b8c837_c007166d0c1f478d9e6c4c4778f2723f.pdf
- https://static.usrfiles.com/ugd/f103bb_d359e09765c04d039229642ec6b5fafd.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 3

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off000066ca.bin` `365115c123d46500b90249d7343301ef8ac0e6441f520d8ee5b61bb164c630a5`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x66CA	5196 bytes
`font_01_sfnt_off00007835.bin` `79f86173bc3c0b120d3dbf300405cadd9e6958c792a58ab8c777a083de1aa08d`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x7835	9908 bytes
`font_02_sfnt_off00009a2a.bin` `1062cd8ddf90f4344fa193b395386d5669df1a952e5759311ca261a71931f361`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x9A2A	4324 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.