PDF malware analysis — malicious · a88cf77e42b36fae

MALICIOUS

PDF

54.1 KB Created: 2020-07-16 11:33:51 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)

MD5: b2589ff5c46f07b13e0d3bbf587bb66f SHA-1: 5812f469c182f128e1bd1243c24a18e19a5b2744 SHA-256: a88cf77e42b36faef63b0ae3711f1df4a5c3f3f52fdf525bebcb2887d0c444df

150 Risk Score

Malware Insights

MITRE ATT&CK

T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF contains embedded links that redirect to malicious infrastructure, as indicated by the PDF_MALICIOUS_REDIRECTOR_LINK heuristic. The document body, though heavily obfuscated, contains text related to 'Access database 2020 tutorial pdf', suggesting a lure. The ML classifier also strongly flagged this PDF as malicious. No scripts were extracted from this sample.

Machine Learning

Nyx PDF Classifier malicious score 1.0000

Heuristics 3

PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK

PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM

Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://ttraff.ru/pify?keyword=access+database+2020+tutorial+pdf
- http://files.sungminrho.com/uploads/1/3/0/9/130969731/1e0363d.pdf
- http://files.echoflowyoga.com/uploads/1/3/0/7/130776250/6638732.pdf
- http://files.hannanicholeart.com/uploads/1/3/0/8/130874627/xawitide-simaretofumopu-tememiza-labikomovazude.pdf
- https://jugafifider.files.wordpress.com/2020/07/71072913099.pdf
- https://fezipok.files.wordpress.com/2020/06/58880480454.pdf
- https://xudepojaj.files.wordpress.com/2020/07/nivazufitijemutogevinole.pdf
- https://wedikul.files.wordpress.com/2020/06/kaxegalenasudep.pdf
- https://rabedebeg.files.wordpress.com/2020/06/jemoxomosezakozezav.pdf
- https://dixurozazix.files.wordpress.com/2020/07/kowomumereziduzupu.pdf
- https://ratekoxon.files.wordpress.com/2020/06/87369024492.pdf
- https://jekebizuwu.files.wordpress.com/2020/06/tulunebomonupera.pdf
- https://cdn.shopify.com/s/files/1/0427/8360/4903/files/51220103530.pdf
- https://cdn.shopify.com/s/files/1/0433/1434/8197/files/derujezijigoto.pdf
- https://cdn.shopify.com/s/files/1/0434/7992/4893/files/71255575792.pdf
- https://cdn.shopify.com/s/files/1/0428/9835/8432/files/64989875230.pdf
- https://cdn.shopify.com/s/files/1/0428/9835/8432/files/dosoxuwananeworatimuk.pdf
- https://cdn.shopify.com/s/files/1/0433/5537/3720/files/biropumalagubogat.pdf
- https://cdn.shopify.com/s/files/1/0428/3082/3583/files/67894539535.pdf
- https://cdn.shopify.com/s/files/1/0428/9835/8432/files/78046530146.pdf
- https://cdn.shopify.com/s/files/1/0432/4959/8632/files/82716162399.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off00009676.bin` `a88aeba57cff0d9899489df3a8272edbf4c5f1f59461d032f8b1b52934f36443`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x9676	5328 bytes
`font_01_sfnt_off0000a894.bin` `19b709c37b57bbfed24ff988fbbc292c461f1f1fdda6023ade600cd2c8081e0b`	pdf-font-stream	PDF embedded font (sfnt) at offset 0xA894	9920 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.