PDF malware analysis — malicious · be387885664750bd

MALICIOUS

PDF

54.3 KB Created: 2020-08-09 18:53:33 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)

MD5: b6cbdc78bc99933a41e7c0ba383fc8c8 SHA-1: ac7bd861a7d9bda67f632417a8f4cfdc8bec5838 SHA-256: be387885664750bdd4a8f2ef2e4a9368c98f5daa3be950e9a010ee476c2bdc91

150 Risk Score

Malware Insights

MITRE ATT&CK

T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF contains a mass external link farm, with a primary malicious redirector URL pointing to 'https://ttraff.cc/pify?keyword=yaseen+sharif+pdf+file+download'. This indicates a social engineering attempt to trick users into downloading further malicious content. The ML classifier also strongly flagged this PDF as malicious.

Machine Learning

Nyx PDF Classifier malicious score 1.0000

Heuristics 3

PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK

PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM

Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://ttraff.cc/pify?keyword=yaseen+sharif+pdf+file+download
- http://files.kimatdesigns.com/uploads/1/3/0/8/130813448/ponajox.pdf
- http://files.paletteandpaper.com/uploads/1/3/1/6/131637125/jopip.pdf
- http://files.ayeeprettyblack.com/uploads/1/3/0/8/130874633/wodirefi-magimese-faxol-sobop.pdf
- http://todunu.creaturesofchichester.com/uploads/1/3/2/6/132682897/jaxoriwenaxupivi.pdf
- https://cdn.shopify.com/s/files/1/0434/5282/5750/files/12598912507.pdf
- https://cdn.shopify.com/s/files/1/0431/3651/6250/files/baladibanakamopuzixe.pdf
- https://cdn.shopify.com/s/files/1/0437/1054/6074/files/64669544437.pdf
- https://cdn.shopify.com/s/files/1/0430/5554/6517/files/86316095618.pdf
- https://cdn.shopify.com/s/files/1/0437/8198/0321/files/76532693138.pdf
- https://cdn.shopify.com/s/files/1/0436/7430/4662/files/xeliviwodiluduteli.pdf
- https://cdn.shopify.com/s/files/1/0435/4909/8148/files/carbomastic_15_lt.pdf
- https://cdn.shopify.com/s/files/1/0429/5426/0643/files/60807005785.pdf
- https://cdn.shopify.com/s/files/1/0432/8846/1478/files/bidonville_nougaro.pdf
- https://cdn.shopify.com/s/files/1/0429/5720/9753/files/ms_excel_vlookup_hlookup_pivot_table.pdf
- https://cdn.shopify.com/s/files/1/0440/7777/7061/files/administracion_de_base_de_datos_sql.pdf
- https://cdn.shopify.com/s/files/1/0427/4244/8295/files/kalabulibitunusevifiso.pdf
- https://cdn.shopify.com/s/files/1/0440/9815/8744/files/rogipaxuzipo.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 3

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`stream_005_off00009587.bin` `98a71b25a8ed177b70f2ce1fb724f6ca6be278397cacf4dfc3b5c74436dd9a43`	decompressed-pdf-stream	PDF FlateDecoded stream at offset 0x9587	29992 bytes
`font_00_sfnt_off00006380.bin` `aacc9128aa67cf1fb279dfa2550f1e5092c3b917f62e9bbcd3b8c8c83adfa7f2`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x6380	5180 bytes
`font_01_sfnt_off0000752b.bin` `31efc6181d10053dc160991ee31b97923fd1a042b133e4e91d809dcc98c353e2`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x752B	9436 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.