PDF malware analysis — malicious · 19db6e20d5047694

MALICIOUS

PDF

40.1 KB Created: 2020-08-29 13:20:05 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)

MD5: a155dd308278c6e01174af91b6d8655d SHA-1: d02d9b4752253408dc9c3653c1c713d2025146b4 SHA-256: 19db6e20d50476947eb6e5d35b102f5a8bcab9fbb78bc5576c5d64346cd1400d

150 Risk Score

Malware Insights

MITRE ATT&CK

T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF contains a large number of embedded links, many pointing to Shopify domains, but one critical link directs to a known malicious redirector. The document body, though heavily obfuscated, contains the malicious URL and appears to be a lure related to 'Anglican breviary used'. The ML classifier strongly indicates maliciousness. No scripts were extracted, but the presence of the malicious redirector is a high-confidence indicator of a phishing or redirection attack.

Machine Learning

Nyx PDF Classifier malicious score 1.0000

Heuristics 3

PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK

PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM

Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://ttraff.me/wix?keyword=anglican+breviary+used
- https://cdn.shopify.com/s/files/1/0430/7730/4484/files/bewatakoruw.pdf
- https://cdn.shopify.com/s/files/1/0434/0649/1797/files/deferred_loan_costs_balance_sheet.pdf
- https://cdn.shopify.com/s/files/1/0463/4869/7757/files/capex_budget_excel_template.pdf
- https://cdn.shopify.com/s/files/1/0428/9904/6553/files/dedavemidifajojulisel.pdf
- https://cdn.shopify.com/s/files/1/0431/9094/3901/files/youtube_2_wav.pdf
- https://cdn.shopify.com/s/files/1/0463/0822/9280/files/rabojuvobafututu.pdf
- https://cdn.shopify.com/s/files/1/0428/3334/6719/files/guxafowomijixujufog.pdf
- https://static.usrfiles.com/ugd/b8c837_c9829c9b2a6b4d6ba758d775c2a5df50.pdf
- https://static.usrfiles.com/ugd/b8c837_e94f57d61c3541f8854750fa62ef537a.pdf
- https://cdn.shopify.com/s/files/1/0438/5108/8032/files/centrifugal_pump_ppt.pdf
- https://cdn.shopify.com/s/files/1/0436/0149/4179/files/94040716969.pdf
- https://cdn.shopify.com/s/files/1/0429/3296/1439/files/depth_first_search_javascript.pdf
- https://cdn.shopify.com/s/files/1/0433/3839/9902/files/sijebe.pdf
- https://cdn.shopify.com/s/files/1/0435/0086/3643/files/eclipse_oxygen_4._7._3a.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/
- https://cdn.shopify.com/s/files/1/0429/

Extracted artifacts 3

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off00005132.bin` `a5a7a38c01db9d90258a990e01443def64c9cd64b3aa54ed7ad9b89a672e9df2`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x5132	5088 bytes
`font_01_sfnt_off0000627e.bin` `db8d9fcb1ee8fba0be2a6f73004cc615fc8a823f30901fd73c95331338296ed4`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x627E	10144 bytes
`font_02_sfnt_off00008537.bin` `b50a2106bf82917db0cd3cf88f63c5e8cc3298b343ace5cffc591b35df33d24c`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x8537	4324 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.