PDF malware analysis — malicious · b7887fbbbce64ac8

MALICIOUS

PDF

44.2 KB Created: 2020-09-19 13:53:27 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)

MD5: abaa4c339e9f188044ed0592580c693d SHA-1: 13bfeba546c197e8818166694a0f7c5ec6fe8d6a SHA-256: b7887fbbbce64ac867d89c99780a40803aa137179496b1017fe5faf4ff18502b

150 Risk Score

Malware Insights

MITRE ATT&CK

T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF file contains a critical heuristic firing for a malicious redirector link, which is also present in the document body. The link leads to a URL that is known to be malicious. The file also contains a large number of embedded links, many of which point to benign content, suggesting a link farm or SEO poisoning tactic. The ML classifier also flagged this PDF with high confidence.

Machine Learning

Nyx PDF Classifier malicious score 1.0000

Heuristics 3

PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK

PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM

Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://ttraff.link/wix?keyword=goblin+slayer+light+novel+volume+6+epub
- http://files.alvareztyping.com/uploads/1/3/0/7/130738933/mavidisomexu.pdf
- http://daxabax.kangenwater-detox.be/uploads/1/3/2/3/132303168/154bcb11cb0b.pdf
- http://files.julielordsart.net/uploads/1/3/1/6/131606537/5158181.pdf
- https://5f67cba1-ec1b-46a6-8093-66ec4812c446.filesusr.com/ugd/d17951_68a7bb22f7444afb9f6b7c6b3956d9be.pdf?index=true
- https://d0ab436f-3c52-497b-8d5a-0f3049698ef3.filesusr.com/ugd/2f3ac6_f64a8ded988b45c48318b31d067d2d82.pdf?index=true
- https://586495d5-fd06-4a6a-9d99-c0391410e3d6.filesusr.com/ugd/7c41c1_b93a01db7b6a4446b765cdb036dc2604.pdf?index=true
- https://655323c8-ab46-4385-95b9-59783d2bd9cd.filesusr.com/ugd/b81754_c57d0dd3506342f1b1e4c061e54db4b5.pdf?index=true
- https://cdn.shopify.com/s/files/1/0431/6731/8167/files/18744631698.pdf
- https://cdn.shopify.com/s/files/1/0431/7052/9436/files/context_clues_worksheets_second_grade.pdf
- https://cdn.shopify.com/s/files/1/0435/3399/2085/files/carnatic_music_tamil_book.pdf
- https://09c23ed4-7959-444d-89ab-d38ed285a68f.filesusr.com/ugd/234f58_712ed5c60e2f4eed8dcfdca9f8b2a98a.pdf?index=true
- https://f9ad431b-d0bc-41a4-9534-df98e13e52b9.filesusr.com/ugd/501a20_a13a346c83ed4b48a8cb8a99ce0cdb27.pdf?index=true
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 3

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off000058c9.bin` `d68e60410cbacf79cb0802fbf0dafa9b8b17ba017d5ef36d34c95eeca9b7680f`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x58C9	5604 bytes
`font_01_sfnt_off00006c42.bin` `2e80d1d68b9a9580978701454e3f77af00c3398429cfef5fb5e130cc496a0ac0`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x6C42	5720 bytes
`font_02_sfnt_off00007f97.bin` `1506a673dd8135b38bc1c653a51fcc672fb103b25d4a3a37681ae745c62bac59`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x7F97	10056 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.