PDF malware analysis — malicious · 30b624bfcb9fc05b

MALICIOUS

PDF

42.3 KB Created: 2020-08-08 13:19:06 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)

MD5: 0fcaebd9b173a6b59181f97e3c1041f0 SHA-1: 7fadc534e46ad1d581d3ac92c98748f5a2599c51 SHA-256: 30b624bfcb9fc05bc085cdc6695d7d02bf51087959e954ba04701eeaeb203fb6

152 Risk Score

Malware Insights

MITRE ATT&CK

T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF contains embedded links, one of which points to a known malicious redirector. The document body, though heavily obfuscated, contains the same malicious URL. The presence of a large number of external PDF links, many hosted on Shopify, suggests a link farm designed to attract search engine traffic and lure unsuspecting users to malicious content.

Machine Learning

Nyx PDF Classifier malicious score 1.0000

Heuristics 4

PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK

PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM

Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL

The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://ttraff.com/wb?keyword=infeksi%20cmv%20pdf
- http://totetuj.gods-story.co/uploads/1/3/0/7/130776177/kosopupigofi_tawewolon.pdf
- http://files.clclockport.org/uploads/1/3/1/8/131856860/c3f819ad8f.pdf
- http://files.drcamcreates.com/uploads/1/3/1/4/131453221/6374514.pdf
- https://cdn.shopify.com/s/files/1/0433/0687/7080/files/tikodizexosuva.pdf
- https://cdn.shopify.com/s/files/1/0430/6396/7906/files/38780485197.pdf
- https://cdn.shopify.com/s/files/1/0431/3926/8770/files/57018034614.pdf
- https://cdn.shopify.com/s/files/1/0435/3448/3616/files/vijimererikug.pdf
- https://cdn.shopify.com/s/files/1/0433/7473/9607/files/jobimosolegitox.pdf
- https://cdn.shopify.com/s/files/1/0431/7826/2692/files/dasefaze.pdf
- https://cdn.shopify.com/s/files/1/0431/9635/0624/files/75738616293.pdf
- https://cdn.shopify.com/s/files/1/0427/6820/3942/files/suxuzebulopobavovedok.pdf
- https://cdn.shopify.com/s/files/1/0430/9277/0977/files/best_don_t_starve_together_mods.pdf
- https://cdn.shopify.com/s/files/1/0429/2558/8639/files/datagosowejavitufewiluweg.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off000068c8.bin` `3dbc3b90ae3e611d94335dc3e07b2f1d03ba515adfef0a673f7b85ee3d1b0595`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x68C8	5024 bytes
`font_01_sfnt_off000079eb.bin` `99ce76b4c964f91b36b75769624cc5f39f81b494fd84ec99092a525b37c1a5d6`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x79EB	10268 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.