PDF malware analysis — malicious · 3d3daba58bcbbf09

MALICIOUS

PDF

48.3 KB Created: 2020-08-29 11:05:28 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)

MD5: a00940148eb7e256f65ea04ea03eb8d2 SHA-1: e7c0d975d1aaf4307d21c607c708b2bebd098774 SHA-256: 3d3daba58bcbbf09d9b2da3fd44842bc438d49d6106c5d9e866099d38d8fe87d

150 Risk Score

Malware Insights

MITRE ATT&CK

T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF contains a large number of embedded links, with the primary link directing to a malicious redirector. The document body, though heavily obfuscated, contains text related to pregnancy weeks and the malicious URL. This suggests a phishing or scam attempt to redirect users to harmful content. The ML classifier also strongly indicated maliciousness.

Machine Learning

Nyx PDF Classifier malicious score 1.0000

Heuristics 3

PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK

PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM

Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://ttraff.cc/wix?keyword=como+saber+quantas+semanas+de+gravid
- https://static.usrfiles.com/ugd/b8c837_ab1ce2e910374072bfb857a175e262b6.pdf
- https://static.usrfiles.com/ugd/b8c837_338bf714bd0e413a9b92497faf5273bb.pdf
- https://static.usrfiles.com/ugd/b8c837_4eff25d7850a40f7b91869aedce118a8.pdf
- https://static.usrfiles.com/ugd/b8c837_182db166c3ec49599cd72e90960aaf03.pdf
- https://static.usrfiles.com/ugd/b8c837_3f66f03741b147d385a27749e24f2d19.pdf
- https://static.usrfiles.com/ugd/b8c837_ae03b30485084813961b24a2ed935480.pdf
- https://static.usrfiles.com/ugd/b8c837_cf155e1798dc4d58ad38a62e6c9f8df3.pdf
- https://static.usrfiles.com/ugd/b8c837_4d7c904c89de4d31a859678a4754e51f.pdf
- https://static.usrfiles.com/ugd/b8c837_bcdc75d14e8546e6b09948c9baef3b14.pdf
- https://static.usrfiles.com/ugd/b8c837_096c9ef2c21d4edd99528077ba3309ed.pdf
- https://cdn.shopify.com/s/files/1/0435/4323/2661/files/sakenusipevodepaduw.pdf
- https://cdn.shopify.com/s/files/1/0433/6664/5916/files/jewirurorijipu.pdf
- https://cdn.shopify.com/s/files/1/0428/5412/1635/files/automated_process_control_system_in_pharmacy.pdf
- https://cdn.shopify.com/s/files/1/0432/0516/5216/files/kakutexewena.pdf
- https://cdn.shopify.com/s/files/1/0437/8283/2289/files/57286271562.pdf
- https://cdn.shopify.com/s/files/1/0440/6588/2277/files/19710926368.pdf
- https://cdn.shopify.com/s/files/1/0428/3406/7615/files/bumasujabokidasaloronesu.pdf
- https://cdn.shopify.com/s/files/1/0440/1581/2766/files/63893781099.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off00007a0e.bin` `9d7164d951264e37c1caf8ff75af0895334f002bf445705690b2d9a930b8e2b2`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x7A0E	5344 bytes
`font_01_sfnt_off00008c1e.bin` `6c6f9aca93d89b1ab8dde1d2add7dd6e8565bf564bb2c8596d5ac044d5ea0380`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x8C1E	12420 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.