PDF malware analysis — malicious · 2a333f7ea45af1b9

MALICIOUS

PDF

44.2 KB Created: 2020-08-24 21:23:33 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)

MD5: b794552c4e7da9d194e8998940f41cb1 SHA-1: 249b88d170419c5c6dc000c2ad881bae4076dcaf SHA-256: 2a333f7ea45af1b9f3e8ce9e2959036057b267ee9cfc54e4ad447a45dcce35b2

150 Risk Score

Malware Insights

MITRE ATT&CK

T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF contains a large number of embedded links, many pointing to Shopify domains, but one critical link directs to a known malicious redirector at 'https://ttraff.cc/pify?keyword=succession+planning+questionnaire+pdf'. This indicates a phishing or social engineering attempt to trick the user into visiting a malicious site under the guise of a succession planning questionnaire. The ML classifier strongly supports the malicious nature of this PDF.

Machine Learning

Nyx PDF Classifier malicious score 1.0000

Heuristics 3

PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK

PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM

Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://ttraff.cc/pify?keyword=succession+planning+questionnaire+pdf
- http://files.twoxtw.com/uploads/1/3/2/8/132814241/25711.pdf
- http://sulal.recraftindy.com/uploads/1/3/1/6/131637136/defudomoterini.pdf
- http://files.childcaredevgroup.ca/uploads/1/3/1/8/131871984/8842145.pdf
- https://cdn.shopify.com/s/files/1/0432/4392/9757/files/vixalomakigalofuzurovuduw.pdf
- https://cdn.shopify.com/s/files/1/0428/5107/4214/files/danoresevo.pdf
- https://cdn.shopify.com/s/files/1/0431/6413/9674/files/excel_spreadsheet_for_splitting_expenses.pdf
- https://cdn.shopify.com/s/files/1/0428/9835/8432/files/61411835552.pdf
- https://cdn.shopify.com/s/files/1/0436/1283/1907/files/puwebobukaverimo.pdf
- https://cdn.shopify.com/s/files/1/0431/3448/4648/files/xeloganezisijizabo.pdf
- https://cdn.shopify.com/s/files/1/0431/9143/5422/files/gijiramojufivadizifobuwaj.pdf
- https://cdn.shopify.com/s/files/1/0430/6858/8194/files/24183366497.pdf
- https://cdn.shopify.com/s/files/1/0429/6838/3642/files/high_school_musical_jr_script.pdf
- https://cdn.shopify.com/s/files/1/0433/3584/3994/files/vufujexa.pdf
- https://cdn.shopify.com/s/files/1/0433/3764/6245/files/xuxebajamaxojaduv.pdf
- https://cdn.shopify.com/s/files/1/0434/1019/4582/files/cisco_vpn_free.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 3

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off000060c1.bin` `f5400a147c57b4eef8b8eaaa2d55a83f066b4dff53aab44d4708da642f56c596`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x60C1	5432 bytes
`font_01_sfnt_off0000732a.bin` `5c234df1fd2f7411da70c1bfdf5aac49e82099bf74986105dbed400e0cdf9779`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x732A	10160 bytes
`font_02_sfnt_off000095fb.bin` `9f355172d696dda274cac500966718f112ce76951f19577ac4888987ea6471b2`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x95FB	4324 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.