PDF malware analysis — malicious · 372e530bbd72712d

MALICIOUS

PDF

56.4 KB Created: 2020-08-18 13:44:52 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)

MD5: b3b35ea3ea2d1962d178e57f7c4686fb SHA-1: a6e24407df6739e9fd08e5c9573222b211611000 SHA-256: 372e530bbd72712d1573ad4a6952bd04e6c333226548c916cc3ac4e0415d66b5

150 Risk Score

Malware Insights

MITRE ATT&CK

T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF file contains a large number of embedded links, a technique often used for SEO poisoning or to direct users to malicious sites. One of the extracted URLs, 'https://ttraff.cc/pify?keyword=chundari+vave+ringtone+song', is flagged as a known malicious redirector. The document body contains garbled text along with this URL and other Shopify-hosted PDF links, suggesting a lure to a potentially harmful destination.

Machine Learning

Nyx PDF Classifier malicious score 1.0000

Heuristics 3

PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK

PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM

Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://ttraff.cc/pify?keyword=chundari+vave+ringtone+song
- http://files.bassreevesconference.com/uploads/1/3/1/8/131857494/widunewexatoporupobi.pdf
- http://files.monsteryandme.com/uploads/1/3/1/4/131406498/8931954.pdf
- https://cdn.shopify.com/s/files/1/0438/5308/6885/files/43820673456.pdf
- https://cdn.shopify.com/s/files/1/0434/8860/8418/files/tri_fold_template_for_google_docs.pdf
- https://cdn.shopify.com/s/files/1/0431/2648/9249/files/14184964745.pdf
- https://cdn.shopify.com/s/files/1/0437/6910/2485/files/namadidojugidatememizapuw.pdf
- https://cdn.shopify.com/s/files/1/0434/3667/1132/files/nazawid.pdf
- https://cdn.shopify.com/s/files/1/0433/2670/1726/files/lurakavejagij.pdf
- https://cdn.shopify.com/s/files/1/0433/0687/7080/files/65039204935.pdf
- https://cdn.shopify.com/s/files/1/0431/2875/0241/files/74416708952.pdf
- https://cdn.shopify.com/s/files/1/0431/9775/9643/files/vowugoset.pdf
- https://cdn.shopify.com/s/files/1/0429/2457/2835/files/joxamegoliliwodi.pdf
- https://cdn.shopify.com/s/files/1/0438/2264/5408/files/adobe_captivate_9_user_guide.pdf
- https://cdn.shopify.com/s/files/1/0428/1437/4047/files/69314143900.pdf
- https://cdn.shopify.com/s/files/1/0437/6307/3181/files/97174147595.pdf
- https://cdn.shopify.com/s/files/1/0435/6934/8763/files/company_profile_template_free_download.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 3

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`stream_004_off00007527.bin` `da689e3cb3c206b1f01ef29b9220510f6f9a3c7b50e104188ed2a999b1236596`	decompressed-pdf-stream	PDF FlateDecoded stream at offset 0x7527	19372 bytes
`font_00_sfnt_off0000641c.bin` `baa3f29dd3cf31689411544211de900989d5e332e44902425d8b6688e68151c9`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x641C	5020 bytes
`font_02_sfnt_off0000b12f.bin` `7aedfa659398a1ccb21f36c93a437e93d3389cb03d9ca2a6571903629361ad23`	pdf-font-stream	PDF embedded font (sfnt) at offset 0xB12F	10296 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.