PDF malware analysis — malicious · 7ebd7171ca4557a6

MALICIOUS

PDF

43.6 KB Created: 2020-08-05 08:27:07 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)

MD5: 073d3ae4e61a923281e974d9fc03fa6b SHA-1: d292e3740e5354e49d2a1c61c9a7f96121b68293 SHA-256: 7ebd7171ca4557a6facc8b8c8f8e2a7ec4928f628feb565bfc858932696d1fb4

150 Risk Score

Malware Insights

MITRE ATT&CK

T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF contains a critical heuristic firing for a malicious redirector link, pointing to 'https://ttraff.cc/pify?keyword=cecelia+ahern+the+gift+pdf+free+download'. This URL is likely used to redirect users to a malicious site. The document body also contains this URL, reinforcing its role in the attack. The presence of numerous other PDF links, many hosted on Shopify, suggests a link farm designed to improve search engine ranking for malicious content.

Machine Learning

Nyx PDF Classifier malicious score 1.0000

Heuristics 3

PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK

PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM

Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://ttraff.cc/pify?keyword=cecelia+ahern+the+gift+pdf+free+download
- http://files.beechfieldumcbalt.org/uploads/1/3/2/3/132302859/xetosufuwuwora.pdf
- http://files.yukonshinevalley.com/uploads/1/3/0/7/130739871/bivenoz-tesatanir.pdf
- http://files.brandheroesacademy.com/uploads/1/3/1/0/131070786/depafokefiv.pdf
- https://cdn.shopify.com/s/files/1/0431/6197/6994/files/buxolofezitoxoduvi.pdf
- https://cdn.shopify.com/s/files/1/0428/9835/8432/files/parisibudipaxetiwori.pdf
- https://cdn.shopify.com/s/files/1/0439/2691/3179/files/beginners_python_cheat_sheet.pdf
- https://cdn.shopify.com/s/files/1/0431/3173/2125/files/bovuzuwugajukijuboravef.pdf
- https://cdn.shopify.com/s/files/1/0429/7061/1861/files/51375772023.pdf
- https://cdn.shopify.com/s/files/1/0434/2389/1618/files/90472714790.pdf
- https://cdn.shopify.com/s/files/1/0430/4447/0945/files/ambitious_baba_insurance.pdf
- https://cdn.shopify.com/s/files/1/0431/8127/7352/files/big_bang_theory_bloopers.pdf
- https://cdn.shopify.com/s/files/1/0433/7080/7459/files/gilijisuvorubigifeki.pdf
- https://cdn.shopify.com/s/files/1/0433/6903/7982/files/zidiluwufatosujuke.pdf
- https://cdn.shopify.com/s/files/1/0429/8774/9525/files/gelonenotifonadu.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 3

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off00005f8b.bin` `3ae143746865a553b18fd4070e8d9df32ed1323b0466a931bf4f8c82d7fc2d9e`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x5F8B	5144 bytes
`font_01_sfnt_off0000710d.bin` `0b135c045d31c10ff14b0ba4bef6520aca18af2b220d53ad2c913f7d95878d09`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x710D	10004 bytes
`font_02_sfnt_off00009339.bin` `ff5f0ef16caf3e97cd1984b3a03ea88e11eab8cf63d2ee006085a4b9995833f3`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x9339	4324 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.