PDF malware analysis — malicious · 586f2311568c8d8d

MALICIOUS

PDF

92.2 KB Created: 2020-09-01 00:54:13 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)

MD5: b121344150700188e886aa2bb7867b87 SHA-1: b6194df61c9ded0980b48fc1d47c8f5888026552 SHA-256: 586f2311568c8d8d6ce56244c88b15404ff45281c3e503556adb5f6045fab969

150 Risk Score

Malware Insights

MITRE ATT&CK

T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF file contains a significant number of embedded links, many of which point to a redirector URL. The document body, though heavily obfuscated, contains text related to 'epel repo centos 6' and the malicious URL, suggesting a lure to trick users into clicking on malicious links. The ML classifier also strongly flagged this PDF as malicious.

Machine Learning

Nyx PDF Classifier malicious score 1.0000

Heuristics 3

PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK

PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM

Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://ttraff.ru/wix?keyword=epel+repo+centos+6
- https://static.usrfiles.com/ugd/41a0b6_8a1dc32b5a37434bacc44f262a2a2c49.pdf
- https://static.usrfiles.com/ugd/b8c837_57f863d9bab34c468be7b9f1bb901095.pdf
- https://static.usrfiles.com/ugd/50c35f_632bb1539e7041868d3eb2b6232b58a8.pdf
- https://static.usrfiles.com/ugd/69b86f_553d35c91b9846b0b26acfa1f2e856a8.pdf
- https://static.usrfiles.com/ugd/b8c837_8a65298334da4510b6ed68a339334389.pdf
- https://static.usrfiles.com/ugd/cc089a_57a112bc239c442eb3de66fd494773c7.pdf
- https://static.usrfiles.com/ugd/71fd01_8b78ab8fde3c458da3b5c968678de1f2.pdf
- https://static.usrfiles.com/ugd/b8c837_dad603711759498baecad27aba6bcb64.pdf
- https://static.usrfiles.com/ugd/37428b_cfbf067212b1488bb5d7e6b858af97c8.pdf
- https://static.usrfiles.com/ugd/b8c837_eea4112683c54a28bbe9606a482bf2ab.pdf
- https://static.usrfiles.com/ugd/a01749_42964e32be934ed5a4384d3bbc495f1e.pdf
- https://static.usrfiles.com/ugd/b28561_61013a497b264cb7971a64dabc45ac5b.pdf
- https://cdn.shopify.com/s/files/1/0429/4246/4163/files/supodadu.pdf
- https://cdn.shopify.com/s/files/1/0435/2521/0263/files/la_anemia_en_nios.pdf
- https://cdn.shopify.com/s/files/1/0439/4758/9800/files/avast_licence_key_2038.pdf
- https://cdn.shopify.com/s/files/1/0465/8167/8247/files/bhaiya_tamil_hd_video_song.pdf
- https://cdn.shopify.com/s/files/1/0429/9830/0823/files/fluid_mechanics_hibbeler_solution_manual.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 3

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off0000e324.bin` `fa946fca66eea9f6da9fcd863c04ce8346e4a865c2edd42186ce1398e76c32a2`	pdf-font-stream	PDF embedded font (sfnt) at offset 0xE324	19168 bytes
`font_01_sfnt_off00011c5e.bin` `c237457c08d60bdd15588f22cf7ca32c4e22eda3e84aff72a19dff3ebce4aa0a`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x11C5E	4828 bytes
`font_02_sfnt_off00012ce3.bin` `2496ed472c85988d971848e653edb231ef6d422eec8f27f69253e9912d474a9e`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x12CE3	17300 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.