PDF malware analysis — malicious · 8cb79b3e63ba8ec6

MALICIOUS

PDF

47.1 KB Created: 2020-08-14 19:21:27 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)

MD5: c9511c8eb46e79fad3305e8b33df8a64 SHA-1: 56b072d2e019602ad725d1086ab4295d8b901cd0 SHA-256: 8cb79b3e63ba8ec6385d6c822338801b14672c78641fc1837280dd566a7e703a

152 Risk Score

Malware Insights

MITRE ATT&CK

T1566.002 Spearphishing Attachment T1059.001 PowerShell T1204.002 Malicious Link

The PDF contains a link farm and a specific URL pointing to a known malicious redirector, disguised with a 'stony brook email format' lure. The ML classifier strongly indicated maliciousness. The document body, though heavily obfuscated, contains the malicious URL and references to other PDFs, suggesting a delivery mechanism for further malicious content or phishing attempts.

Machine Learning

Nyx PDF Classifier malicious score 1.0000

Heuristics 4

PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK

PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM

Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL

The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://ttraff.cc/pify?keyword=stony+brook+email+format
- http://files.lovettadvisors.com/uploads/1/3/2/6/132695334/tuzetenozapevik.pdf
- http://nuxodego.orojoy.com/uploads/1/3/1/3/131383837/2750779.pdf
- https://cdn.shopify.com/s/files/1/0429/6045/3785/files/wamudoba.pdf
- https://cdn.shopify.com/s/files/1/0440/5932/8662/files/sony_scd-_ce595.pdf
- https://cdn.shopify.com/s/files/1/0431/2222/9397/files/xetefapip.pdf
- https://cdn.shopify.com/s/files/1/0440/9258/8184/files/armonia_cromatica_edicion_pantone_gratis.pdf
- https://cdn.shopify.com/s/files/1/0433/2060/6885/files/zaxijuferezowikul.pdf
- https://cdn.shopify.com/s/files/1/0433/5131/0488/files/20489324647.pdf
- https://cdn.shopify.com/s/files/1/0430/3942/4669/files/64741603614.pdf
- https://cdn.shopify.com/s/files/1/0434/9722/6402/files/jajinaduxa.pdf
- https://cdn.shopify.com/s/files/1/0430/1278/4277/files/83663713256.pdf
- https://cdn.shopify.com/s/files/1/0433/0687/7080/files/tevedizulav.pdf
- https://cdn.shopify.com/s/files/1/0432/6519/6197/files/early_adulthood_physical_development.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off00007769.bin` `1750cdaacf5525b19fef966f8e4c067b6de4f66806057e48e922d62467dcd1fc`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x7769	5144 bytes
`font_01_sfnt_off000088dc.bin` `6252a00f5f1f07412a9ac4132efcecc4e69441fd9a289a86586be3369b0a2019`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x88DC	12056 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.