PDF malware analysis — malicious · 401cf73d4de57aca

MALICIOUS

PDF

47.8 KB Created: 2020-09-01 22:53:37 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)

MD5: b00379c77bfc625967153148bed810db SHA-1: d0ec8ded323f3bf6ba572e8035c48eeb1c04dc5f SHA-256: 401cf73d4de57acaa6b56d77fae6bee631cd7ca3795ea51c3d51c5b0d36d1a88

150 Risk Score

Malware Insights

MITRE ATT&CK

T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF contains a link to a known malicious redirector, disguised as a download for a "driver booster app for pc". The heuristic firings strongly indicate malicious intent, with one specifically identifying the link as a malicious redirector. The ML classifier also flagged this PDF with high confidence. No scripts were extracted from this sample.

Machine Learning

Nyx PDF Classifier malicious score 1.0000

Heuristics 3

PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK

PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM

Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://ttraff.ru/wix?keyword=driver+booster+app+for+pc
- https://static.usrfiles.com/ugd/c4ccc4_a6eb4ec6d3404f978edc4cb0d5a478aa.pdf
- https://static.usrfiles.com/ugd/b5472a_2dfe9e7b116a46c49ce362517799f32e.pdf
- https://static.usrfiles.com/ugd/a64c8c_1398d95d083d4b0da3e1fa5e15338af9.pdf
- https://static.usrfiles.com/ugd/b8c837_6f951d23e3b24488b3288d3dd7a97ed9.pdf
- https://static.usrfiles.com/ugd/99afdc_2c22c5c9f45945c0a7058d99b14820b3.pdf
- https://static.usrfiles.com/ugd/41a0b6_3775c2f0c8854d2c9ba296660190919f.pdf
- https://static.usrfiles.com/ugd/d775a9_d8e3e3ca03324771800755ff5fd60ef8.pdf
- https://static.usrfiles.com/ugd/3826db_4aed98a2e9db4e098f392df127a75725.pdf
- https://cdn.shopify.com/s/files/1/0431/6073/1803/files/33952210321.pdf
- https://cdn.shopify.com/s/files/1/0433/7644/3543/files/axis_bank_address_change_form.pdf
- https://cdn.shopify.com/s/files/1/0465/0221/5832/files/27111942860.pdf
- https://cdn.shopify.com/s/files/1/0428/9875/1641/files/malarial_parasite.pdf
- https://cdn.shopify.com/s/files/1/0454/5308/2782/files/sijatuloraxaxunobuz.pdf
- https://cdn.shopify.com/s/files/1/0430/9614/6074/files/3017205629.pdf
- https://cdn.shopify.com/s/files/1/0432/8570/8968/files/49676947737.pdf
- https://cdn.shopify.com/s/files/1/0428/4927/1975/files/78267745426.pdf
- https://cdn.shopify.com/s/files/1/0429/0763/1782/files/kusirunumemu.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 3

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off000067f6.bin` `1a0e0d0243a12c3ef82afef1eee209e081877cc395adcc4de6e876b4caa75ae2`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x67F6	5176 bytes
`font_01_sfnt_off000079a9.bin` `a417a13066ad2fd0dbe06328c972c4fb52e39fa9dddd4dbd89ad75bcf6009f0a`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x79A9	10228 bytes
`font_02_sfnt_off00009cf7.bin` `f6e0f4a25f18a144688c6b7f40519a5efc98c72643b9054f89526e396d9b459d`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x9CF7	16144 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.