PDF malware analysis — malicious · 8c5bf4a8f34654f7

MALICIOUS

PDF

46.7 KB Created: 2020-09-01 00:03:19 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)

MD5: bf3fdec213052c7aa2042312d871a088 SHA-1: e6adf01aea64e77ccf3bb54f4ac048cfba1ad93f SHA-256: 8c5bf4a8f34654f72a50bad7649ccbfd7bc52acae7ecb82a479623880b5ce99c

150 Risk Score

Malware Insights

MITRE ATT&CK

T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF file contains a large number of embedded links, many of which point to a redirector service. The primary heuristic indicates that these links lead to known malicious infrastructure. The ML classifier also strongly flagged this PDF as malicious. The document body contains a URL that is also present in the heuristics, suggesting a lure to external content.

Machine Learning

Nyx PDF Classifier malicious score 1.0000

Heuristics 3

PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK

PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM

Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://ttraff.com/wix?keyword=lagu+karaoke+arang+tampurung
- https://static.usrfiles.com/ugd/0d2908_3b133ea372624411b8ecb324ccd361c5.pdf
- https://static.usrfiles.com/ugd/6da380_029f0a8430ff4836ad59a81bbb7caaae.pdf
- https://static.usrfiles.com/ugd/003b86_4dc205ea38e9460e9df5ec09cc5853f2.pdf
- https://static.usrfiles.com/ugd/191a6d_0021ea7225ae4dd4ac48ec91fa50b1ab.pdf
- https://static.usrfiles.com/ugd/52b593_712ea371c6a644a48710af211121615e.pdf
- https://static.usrfiles.com/ugd/ce14f3_c1db2da8b03a4673ba47478b257725ca.pdf
- https://static.usrfiles.com/ugd/b916f4_1747ccf7a2fa43668e3a0bc8b8c67710.pdf
- https://static.usrfiles.com/ugd/8cbfce_ade4ed8d94f84b9888a3df7fd6f4123f.pdf
- https://static.usrfiles.com/ugd/db93e9_6d163d884f9447ee8c8bb3cb2c338af5.pdf
- https://static.usrfiles.com/ugd/b8c837_68c449a8f5514fd8bdec4b1be8db192b.pdf
- https://static.usrfiles.com/ugd/b8c837_e03b998dd02543e581a86a6f2010f241.pdf
- https://static.usrfiles.com/ugd/10e3af_a45bfc11d36140c78d3c43c8f09cc066.pdf
- https://static.usrfiles.com/ugd/b8c837_701354a6807d441eb5e5947bafd3f330.pdf
- https://cdn.shopify.com/s/files/1/0431/8789/6488/files/34550881503.pdf
- https://cdn.shopify.com/s/files/1/0435/6934/8763/files/email_domains_list.pdf
- https://cdn.shopify.com/s/files/1/0429/7018/5879/files/64385683310.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 3

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off00005a31.bin` `b2ba56bbd3b75752023fe6fde5af03e28bc62092974b51ff165794897e6dfd3b`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x5A31	4936 bytes
`font_01_sfnt_off00006af0.bin` `afc5b8a74c617f86405abef8a745a1763ba8182ba51ed39763d70a24eb208ce5`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x6AF0	14636 bytes
`font_02_sfnt_off00009892.bin` `95f2a8319533f051e584a9e2aa38e8d42f7eb419abe795cf0dce2d6390e2c0a0`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x9892	16204 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.