PDF malware analysis — malicious · 1ace7283f13c455f

MALICIOUS

PDF

63.8 KB Created: 2020-08-01 11:39:07 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)

MD5: 9c69079954b7045a03f2c305c11db071 SHA-1: 66aa9c815eae4d05bbe7c9978fd30537b25712e4 SHA-256: 1ace7283f13c455f91bf9dfff2b4abd5ef8e9af1dff029008c5ce503b68c9adc

150 Risk Score

Malware Insights

MITRE ATT&CK

T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF was flagged as malicious due to a high number of embedded links, many of which point to a redirector service known to host malicious content. The document body contains a large number of these links, suggesting a link farm or SEO poisoning tactic. The primary malicious URL identified is https://ttraff.cc/pify?keyword=heartstrings%2528+south+korean+tv+series%2529. No scripts were extracted, limiting the analysis of direct payload execution.

Machine Learning

Nyx PDF Classifier malicious score 1.0000

Heuristics 3

PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK

PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM

Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://ttraff.cc/pify?keyword=heartstrings%2528+south+korean+tv+series%2529
- http://files.srmsperformingarts.com/uploads/1/3/1/4/131483327/8934d89145.pdf
- http://files.mysidetabledrawer.com/uploads/1/3/1/3/131379057/siwevafuketama.pdf
- http://files.stephaniegalyon.com/uploads/1/3/0/8/130874509/mokuliwomakerisumi.pdf
- http://files.hannahsealy.com/uploads/1/3/0/7/130739525/7b4568.pdf
- https://cdn.shopify.com/s/files/1/0432/1515/9458/files/beep_sound_effect_download.pdf
- https://cdn.shopify.com/s/files/1/0437/5874/7800/files/napoziwuwululupivasozuser.pdf
- https://cdn.shopify.com/s/files/1/0433/9888/9635/files/rotofusowurim.pdf
- https://cdn.shopify.com/s/files/1/0433/9246/7109/files/68189148344.pdf
- https://cdn.shopify.com/s/files/1/0432/5965/8398/files/27485880602.pdf
- https://cdn.shopify.com/s/files/1/0428/9203/4211/files/14585347606.pdf
- https://cdn.shopify.com/s/files/1/0431/7678/8117/files/10285975884.pdf
- https://cdn.shopify.com/s/files/1/0432/0549/2904/files/1147846207.pdf
- https://cdn.shopify.com/s/files/1/0435/5109/6984/files/64728753464.pdf
- https://cdn.shopify.com/s/files/1/0429/6006/0567/files/4199877323.pdf
- https://cdn.shopify.com/s/files/1/0436/1479/7981/files/napunutikodurimok.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 3

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off0000958a.bin` `28c546db62d64a920107f5314acdbe2e63f3122316547d07e283c51f36232c3a`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x958A	11996 bytes
`font_01_sfnt_off0000baf1.bin` `efa848bf78a19dd7068b7a4af2a7ee87cfc6177e306f6bb8e530e67a8c9f3168`	pdf-font-stream	PDF embedded font (sfnt) at offset 0xBAF1	5152 bytes
`font_02_sfnt_off0000cc89.bin` `7e03a8957745ace0173f6f43c839ebc8a66bcb007a09261f61cce278f074b3d1`	pdf-font-stream	PDF embedded font (sfnt) at offset 0xCC89	10824 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.