PDF malware analysis — malicious · bccf2258f0bc78ef

MALICIOUS

PDF

37.5 KB Created: 2020-09-18 09:15:29 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)

MD5: bcdde8a60fcd68c5376f1284e1ff35f7 SHA-1: c7c0a4629a9f641c35f5ef4fb291012932cd0792 SHA-256: bccf2258f0bc78efe213e4e52e16982b1a2194f3babbd5bb2daf0fe5da808aa2

150 Risk Score

Malware Insights

MITRE ATT&CK

T1566.002 Spearphishing Attachment T1059.001 PowerShell T1204.002 Malicious Link

The PDF contains a malicious redirector link that is designed to lure users into downloading potentially harmful content. The document body, though partially corrupted, contains text related to downloading a manual, which aligns with the malicious link's keyword. The PDF was flagged by multiple critical heuristics for malicious redirector links and link farms, indicating a clear intent to direct users to malicious sites.

Machine Learning

Nyx PDF Classifier malicious score 1.0000

Heuristics 3

PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK

PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM

Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://ttraff.link/wix?keyword=ama+manual+of+style+11th+edition+pdf+free+download
- http://tagepota.kingrattan.com/uploads/1/3/1/4/131483112/laxag_jukujoxasume.pdf
- http://tokome.villanovancaastudentchallenge.com/uploads/1/3/1/4/131452903/1232183.pdf
- https://cdn.shopify.com/s/files/1/0432/5123/7022/files/72596036762.pdf
- https://cdn.shopify.com/s/files/1/0461/9993/1030/files/15075018818.pdf
- https://cdn.shopify.com/s/files/1/0428/9835/8432/files/96951977507.pdf
- https://cdn.shopify.com/s/files/1/0433/3820/3290/files/black_armory_destiny_2_guide.pdf
- https://d1d8c299-b111-43fd-b366-d018e489bca6.filesusr.com/ugd/843280_6c61f0d733de497193faa0a39106b41d.pdf?index=true
- https://c6a5c18a-ac71-44e5-99e7-7321a8be52d2.filesusr.com/ugd/23a6c3_e31c1e3933b34ce789110b3f0fbf9bfe.pdf?index=true
- https://dcb28de7-a722-4134-9e23-1f986bf3889d.filesusr.com/ugd/069df5_0b2ba07e2b1a4bf093c4b8cfe471b1ce.pdf?index=true
- https://a5457931-7b2b-4c55-9429-eabec943cf43.filesusr.com/ugd/8c2e83_6e94c2e29194415d8c6bd044596f1cad.pdf?index=true
- https://d898f1dc-ee8d-4344-9584-bdb904e23799.filesusr.com/ugd/ef0078_9f1badaccfdb47b8a7b11822ddb6ee6e.pdf?index=true
- https://70405aab-1ada-40c4-b527-f958584bceff.filesusr.com/ugd/72b0e7_a70bc8fa402d4e2f9c2d726b67f40eca.pdf?index=true
- https://35d1e97a-fe1e-4367-8a41-a40e2d439d90.filesusr.com/ugd/b3318b_4387175c60884aba8b9de25c070d2af6.pdf?index=true
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off00005203.bin` `0f2367d21d510372d2d24073f0daf8c426c6d86eed6cd85d2c6c40e9d5fa21aa`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x5203	5516 bytes
`font_01_sfnt_off000064b6.bin` `bcca10e1b2759e5e79e1412639b99787946d7ad1e6b0d4033f85c03bc2b0b2d0`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x64B6	10560 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.