PDF malware analysis — malicious · 1d2d51b2308a0e70

MALICIOUS

PDF

41.5 KB Created: 2020-08-12 11:37:22 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)

MD5: aa49a2df696263a0f5da494a21f63c04 SHA-1: 588d8cf0798d340070d0629c068be6121b89e496 SHA-256: 1d2d51b2308a0e7073f906423a4ac6d2f714316026c3116e38fe86044f9e7bc9

150 Risk Score

Malware Insights

MITRE ATT&CK

T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF file was flagged by multiple critical heuristics for containing malicious redirector links and a large number of external links, suggesting a link farm. One of the embedded URLs, 'https://ttraff.cc/pify?keyword=alleluia+jubilate+deo+pdf', is identified as a known malicious redirector. The ML classifier also strongly indicated maliciousness. The document body contains obfuscated text and embedded URLs, consistent with a lure to external malicious content.

Machine Learning

Nyx PDF Classifier malicious score 1.0000

Heuristics 3

PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK

PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM

Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://ttraff.cc/pify?keyword=alleluia+jubilate+deo+pdf
- http://dokibamis.royaltyriseproductions.com/uploads/1/3/2/6/132681501/kodirotonoga.pdf
- http://misorim.ahshoops.com/uploads/1/3/0/7/130738884/4857799.pdf
- http://files.katydunlapyoga.com/uploads/1/3/0/9/130968920/jigadexizadudaw_baniretepire_menedezerig_wejajoje.pdf
- http://files.nalalumni.org/uploads/1/3/0/7/130740458/ramuneb-pakaleti-jivezala-vifazomi.pdf
- https://cdn.shopify.com/s/files/1/0431/5283/4711/files/24644041905.pdf
- https://cdn.shopify.com/s/files/1/0434/9476/8802/files/400099714.pdf
- https://cdn.shopify.com/s/files/1/0428/9835/8432/files/rejumaxerufu.pdf
- https://cdn.shopify.com/s/files/1/0428/9835/8432/files/65545430121.pdf
- https://cdn.shopify.com/s/files/1/0433/4102/1334/files/repunukigumakawok.pdf
- https://cdn.shopify.com/s/files/1/0447/3418/5628/files/nesolironibap.pdf
- https://cdn.shopify.com/s/files/1/0434/7353/5142/files/jozemuwimufalonesol.pdf
- https://cdn.shopify.com/s/files/1/0432/7270/0057/files/calendar_2020_uae_with_holidays.pdf
- https://cdn.shopify.com/s/files/1/0435/2661/9288/files/watchmen_comic_online.pdf
- https://cdn.shopify.com/s/files/1/0432/2436/7266/files/xobopejewaxig.pdf
- https://cdn.shopify.com/s/files/1/0428/9835/8432/files/21533622499.pdf
- https://cdn.shopify.com/s/files/1/0438/3014/9270/files/application_of_microbial_biotechnology_in_agriculture.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off0000621e.bin` `97f8a0bc15ff0b73dc23a91d816842d2b3c94dcf36dbf84c0b6a097061481114`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x621E	4964 bytes
`font_01_sfnt_off00007315.bin` `9968f36f3843afce7deadb82011102e38cb3eff916825d1739ea2d178db99405`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x7315	11328 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.