PDF malware analysis — malicious · 371e2fd9a9a52f3e

MALICIOUS

PDF

50.6 KB Created: 2020-08-24 16:51:50 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)

MD5: b8ede8ece398439226ef362ac08ae10e SHA-1: 72b1a33cd767b6895304bc9abee9acfd81eda906 SHA-256: 371e2fd9a9a52f3e5467f130b99d41643ac0e420951704ba99b6fa1621e75494

150 Risk Score

Malware Insights

MITRE ATT&CK

T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF file was flagged as malicious due to the presence of a link to a known malicious redirector. The document body contains garbled text along with several URLs, including the malicious redirector and a large number of Shopify-hosted PDF files, suggesting a link farm or SEO poisoning attempt. The primary malicious IOC is the redirector URL, which is likely used to funnel users to a malicious destination.

Machine Learning

Nyx PDF Classifier malicious score 1.0000

Heuristics 3

PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK

PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM

Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://ttraff.ru/pify?keyword=chipotle+pronunciation+guide
- http://files.pacificcoastvisions.net/uploads/1/3/2/6/132681342/tekadanixe.pdf
- http://files.rubylightportraits.com/uploads/1/3/0/7/130775518/livexekabozu.pdf
- http://rusetoxut.northlincsbeekeepers.org.uk/uploads/1/3/0/8/130814017/ac3b84b9daea836.pdf
- https://cdn.shopify.com/s/files/1/0431/4605/1744/files/sonijunevixuju.pdf
- https://cdn.shopify.com/s/files/1/0435/2199/9008/files/tipe_isoterm_adsorpsi.pdf
- https://cdn.shopify.com/s/files/1/0433/8358/6977/files/fenegolid.pdf
- https://cdn.shopify.com/s/files/1/0432/2616/9503/files/91965803857.pdf
- https://cdn.shopify.com/s/files/1/0433/4800/0922/files/15770642242.pdf
- https://cdn.shopify.com/s/files/1/0462/2758/7223/files/xumir.pdf
- https://cdn.shopify.com/s/files/1/0465/4733/7374/files/create_outlook_email_form_template.pdf
- https://cdn.shopify.com/s/files/1/0431/7334/7488/files/mevitomuralusikeji.pdf
- https://cdn.shopify.com/s/files/1/0431/7921/2960/files/van_morrison_astral_weeks_lyrics.pdf
- https://cdn.shopify.com/s/files/1/0430/6560/6301/files/happy_wheels_apk.pdf
- https://cdn.shopify.com/s/files/1/0427/7259/4844/files/50427008557.pdf
- https://cdn.shopify.com/s/files/1/0433/9679/2471/files/august_2020_current_affairs_free_download.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 3

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off00007c38.bin` `0e11e16bdc4546cf4a5a4d53855ac9616754066f8795096aff99b91e08681c85`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x7C38	5060 bytes
`font_01_sfnt_off00008d5d.bin` `deeb4706f4f332f749d3848b957ab38f7f686629d7d3248beb3f958856ddfa38`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x8D5D	10012 bytes
`font_02_sfnt_off0000afa8.bin` `4fcfa7c68d76e23b667942a3ac892d2d5d88346478daafc61479ad4df4af3dd3`	pdf-font-stream	PDF embedded font (sfnt) at offset 0xAFA8	4324 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.