PDF malware analysis — malicious · b8aa2374cd1f5e3f

MALICIOUS

PDF

34.9 KB Created: 2020-08-30 15:46:00 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)

MD5: a1d200a8d8f6a80c1f816cb273d7cd7a SHA-1: e1737d89d3b21d2f091024ee3606232bee91ade4 SHA-256: b8aa2374cd1f5e3f8f3b3a4dbf90593fb22265774259d64f5a3d80fd77c6c502

150 Risk Score

Malware Insights

MITRE ATT&CK

T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF file contains numerous embedded links, with one specifically identified as a malicious redirector. The document body, though heavily obfuscated, contains text related to a 'Dodge journey sxt 2015 manual' and the malicious URL, suggesting a lure to a phishing or malware distribution site. The presence of a malicious redirector link and a large number of embedded links strongly indicates a malicious intent to redirect the user to a harmful destination.

Machine Learning

Nyx PDF Classifier malicious score 1.0000

Heuristics 3

PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK

PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM

Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://ttraff.com/wix?keyword=dodge+journey+sxt+2015+manual
- https://cdn.shopify.com/s/files/1/0439/2783/0696/files/ostrich_farming_in_nigeria.pdf
- https://cdn.shopify.com/s/files/1/0435/8668/3037/files/nedixilivo.pdf
- https://cdn.shopify.com/s/files/1/0429/7926/2615/files/cjbat_practice_test.pdf
- https://cdn.shopify.com/s/files/1/0431/8570/1025/files/cyrano_de_bergerac_script.pdf
- https://static.usrfiles.com/ugd/b8c837_177931efe49c486783dce7cb869685ac.pdf
- https://static.usrfiles.com/ugd/57c819_1846dbbd51294b9ea144e37e71e51b07.pdf
- https://static.usrfiles.com/ugd/b4a829_dc97fe8441f34f00af4d58717f4a59ff.pdf
- https://static.usrfiles.com/ugd/0adedf_108d8ea46acb4e76863ced0f2c505c8d.pdf
- https://static.usrfiles.com/ugd/c1615c_537529e8724349e3b8513485fcbf8973.pdf
- https://static.usrfiles.com/ugd/0779a3_75d7755124c34c2fa0930768fa471d19.pdf
- https://static.usrfiles.com/ugd/10e3af_4e5db791052e4d17a68ba8793ac2569e.pdf
- https://static.usrfiles.com/ugd/b8c837_f53f307fa0df48128f1fe8f7a253689a.pdf
- https://static.usrfiles.com/ugd/b8c837_76409856b9294693a9f06cf6e0a0edd5.pdf
- https://static.usrfiles.com/ugd/a91264_7b0afa3faee047a69b68f32344ff3a8b.pdf
- https://static.usrfiles.com/ugd/b8c837_9e3b4622226e425fbc95cc7d4cf7127b.pdf
- https://static.usrfiles.com/ugd/e3ed1f_9fedd86c81af46bbb5b7e354ff35e2fc.pdf
- https://static.usrfiles.com/ugd/b8c837_988c0c7e86fa4635926f388796f04f61.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off000048d8.bin` `9f0d4f17d0c4017e76755930291069293a188a967e6467b8bbd1a91c5c3d5523`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x48D8	5840 bytes
`font_01_sfnt_off00005cca.bin` `085f737a4e9ab57e039b456394eeed86aafc922492bca796c0f20dda776bd87b`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x5CCA	10052 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.