PDF malware analysis — malicious · 9cbfa7278916967b

MALICIOUS

PDF

55.8 KB Created: 2020-08-09 00:31:02 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)

MD5: ab1376b9f3ef7cde1767c4e2a3713e2e SHA-1: 0c6300592edbfd54111dd5b9a10b3e5c9a4fd1b4 SHA-256: 9cbfa7278916967b9a4d9c70f87aa7d23b07981c8ef7ad9f8d0dbb6b17389df1

150 Risk Score

Malware Insights

MITRE ATT&CK

T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF contains numerous embedded links, with a critical heuristic firing for a malicious redirector. The document body, though heavily obfuscated, contains a URL that matches the malicious redirector. The presence of a large number of external links suggests a link farm or SEO spamming operation, potentially leading to phishing or malware distribution.

Machine Learning

Nyx PDF Classifier malicious score 1.0000

Heuristics 3

PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK

PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM

Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://ttraff.ru/pify?keyword=biblia+de+estudio+esquematizada+reina+valera+1960+pdf
- http://gozupa.thomascalderselections.com/uploads/1/3/1/4/131437601/lesolikim-kawiwupedulev-vibakav.pdf
- http://zorulo.writerswithroomtobloom.com/uploads/1/3/0/7/130775918/garavefufab.pdf
- http://files.halleluyahfire.org/uploads/1/3/2/8/132815220/deec8b6e4.pdf
- https://cdn.shopify.com/s/files/1/0434/1222/6200/files/fuvojobexosuwejunomese.pdf
- https://cdn.shopify.com/s/files/1/0428/7945/1289/files/velegapinamamulu.pdf
- https://cdn.shopify.com/s/files/1/0429/6038/8252/files/89002451279.pdf
- https://cdn.shopify.com/s/files/1/0433/5943/6951/files/42272667947.pdf
- https://cdn.shopify.com/s/files/1/0431/5208/1053/files/analytical_maths_questions.pdf
- https://cdn.shopify.com/s/files/1/0441/1247/8360/files/42548154705.pdf
- https://cdn.shopify.com/s/files/1/0432/4343/8244/files/kedoletuxolulefivugaso.pdf
- https://cdn.shopify.com/s/files/1/0432/7427/2924/files/zefowe.pdf
- https://cdn.shopify.com/s/files/1/0439/0407/3880/files/26328232560.pdf
- https://cdn.shopify.com/s/files/1/0432/3557/3919/files/38301173162.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 4

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off00004843.bin` `cf71e92a1eaa1f2646ca3a4c8d190f8eed2863142838b3a0c136a0a8fdad98f8`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x4843	17060 bytes
`font_01_sfnt_off00007e3f.bin` `c5950a96e0cfff444b40c641eea745d4cc8820f7fc124de5354c2166d1d2e684`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x7E3F	6116 bytes
`font_02_sfnt_off000092fe.bin` `fba56816464351a9a6e139845ed83d4e00c873a57e5ca87eccb1db7a362d65e4`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x92FE	11860 bytes
`font_03_sfnt_off0000b9dc.bin` `389a5a281eb470fc4df5057fcb81a61a92ea34688355df1940d9e908d89b3f70`	pdf-font-stream	PDF embedded font (sfnt) at offset 0xB9DC	16248 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.