PDF malware analysis — malicious · c7c28a1937b087fd

MALICIOUS

PDF

33.5 KB Created: 2020-09-17 09:48:21 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)

MD5: b1d8e56e10d103221b82fcf7f7ecced4 SHA-1: b7374aa5e90a91150a0cbe000caa16035023ec22 SHA-256: c7c28a1937b087fd02f8e91b883a29a56be6bdf4df1ab83cf568dc634dd7b26d

150 Risk Score

Malware Insights

MITRE ATT&CK

T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF was flagged by multiple critical heuristics for containing malicious redirector links and a large link farm. The embedded URLs, such as 'https://ttraff.me/wix?keyword=binghamton+som+reddit' and 'http://toladolix.kvegasnuts.com/uploads/1/3/2/6/132681352/venajumodavadu.pdf', are likely part of a campaign to lure users to malicious sites. The ML classifier also strongly indicated maliciousness.

Machine Learning

Nyx PDF Classifier malicious score 1.0000

Heuristics 3

PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK

PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM

Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://ttraff.me/wix?keyword=binghamton+som+reddit
- http://toladolix.kvegasnuts.com/uploads/1/3/2/6/132681352/venajumodavadu.pdf
- http://files.unleashedministry.com/uploads/1/3/0/9/130969169/zejab.pdf
- http://files.bestoftimeswatch.com/uploads/1/3/1/3/131379749/e4facd24be.pdf
- http://vabenise.arteyepretty.com/uploads/1/3/0/8/130874104/jimodapi_fumoj_tiwexis_zabibunaninuvas.pdf
- http://lubuzajo.gammadiamonds.com/uploads/1/3/1/8/131871699/tozelifakawasi.pdf
- http://files.sehjournal.com/uploads/1/3/2/6/132682868/bipisowak_nugetatenut.pdf
- http://zevoje.clearmomentsupplies.com/uploads/1/3/1/1/131164250/bobuvone_xetajerurib_paselakepot_zizutafetes.pdf
- http://xusiwenul.lockmangenetics.com/uploads/1/3/1/4/131407921/muboxog_vopan.pdf
- https://af78ddec-312f-4416-a866-d4a39ba5b71c.filesusr.com/ugd/0511f5_1a4b34f710cd412796e3eebadb8e905d.pdf?index=true
- https://41c6e464-fa39-405b-9f2b-5038c43d1d08.filesusr.com/ugd/19ce5d_1fb0fdfb5ec74a1887dd161db875be40.pdf?index=true
- https://28ebb74a-d66d-48ed-b5e1-7b0911bf3f03.filesusr.com/ugd/e4a001_e909a3332e9744cf96996fb2f0737d6a.pdf?index=true
- https://314d5fdb-7755-44a1-b1c5-42a95527616a.filesusr.com/ugd/9ff9b8_21b6974d114e4cd38b73d544b1a4d33b.pdf?index=true
- https://cb2f2529-5529-4bea-85af-de20ad7d0e64.filesusr.com/ugd/5de1df_e6682506e3d046df85e882082db33777.pdf?index=true
- https://cdn.shopify.com/s/files/1/0432/6660/5209/files/sfg_2_3._6_mod_apk.pdf
- https://cdn.shopify.com/s/files/1/0429/3728/6812/files/11856000673.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off0000479f.bin` `79fc574d08394669d8c28804681c8ef186a9242f784fb0b4b925226e5da24678`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x479F	5256 bytes
`font_01_sfnt_off00005951.bin` `8c26fa76465ffc836110a1f46e9f3c7ea4fc04fdcd7f9f476714495ac3fdb872`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x5951	9428 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.