PDF malware analysis — malicious · d79ad6fd99f2799c

MALICIOUS

PDF

52.7 KB Created: 2020-08-21 17:04:05 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)

MD5: a9f2f9d3d33b395cf01b97f8565d6153 SHA-1: 966b1423f6c27db29fa68e0496b2fa35a30995d4 SHA-256: d79ad6fd99f2799cd42e800ce73fa4f7af3b2eb5aa7e267f7e2bb31acfb037e1

150 Risk Score

Malware Insights

MITRE ATT&CK

T1566.002 Spearphishing Attachment T1059.001 PowerShell

This PDF file contains a lure for "Tamil 4k ultra hd movies free" and embeds a link to a known malicious redirector. The redirector is configured to lead users to potentially harmful content. The PDF also contains a large number of links, many of which point to Shopify domains, suggesting a link farm or SEO manipulation tactic to distribute malicious content. The ML classifier also strongly indicated maliciousness.

Machine Learning

Nyx PDF Classifier malicious score 1.0000

Heuristics 3

PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK

PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM

Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://ttraff.cc/pify?keyword=tamil+4k+ultra+hd+movies+free
- http://files.digitalmindset.ltd/uploads/1/3/1/4/131414561/1e666e9ea7e5637.pdf
- https://cdn.shopify.com/s/files/1/0437/7539/3944/files/business_impact_analysis_report.pdf
- https://cdn.shopify.com/s/files/1/0429/2254/1209/files/65889714017.pdf
- https://cdn.shopify.com/s/files/1/0445/5153/6799/files/physical_chemistry_tinoco_5th_edition_download.pdf
- https://cdn.shopify.com/s/files/1/0432/6529/4504/files/59574227695.pdf
- https://cdn.shopify.com/s/files/1/0427/9762/9596/files/fupuf.pdf
- https://cdn.shopify.com/s/files/1/0432/3786/7687/files/days_of_the_week_in_german.pdf
- https://cdn.shopify.com/s/files/1/0433/5806/0703/files/peasants_quest_walkthrough.pdf
- https://cdn.shopify.com/s/files/1/0431/5460/4198/files/riwisi.pdf
- https://cdn.shopify.com/s/files/1/0437/0278/0057/files/tower_of_heaven_game.pdf
- https://cdn.shopify.com/s/files/1/0434/1530/6405/files/bojabamevenila.pdf
- https://cdn.shopify.com/s/files/1/0430/7091/4717/files/bwv_1080.pdf
- https://cdn.shopify.com/s/files/1/0435/2632/4383/files/web_design_proposal_template.pdf
- https://cdn.shopify.com/s/files/1/0434/6799/7344/files/ielts_speaking_test_part_1.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 3

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`stream_004_off000074a1.bin` `d09ebbe03bdce27f4dafec2816fecc5c9b7675a9094e46a1b105bb8a515ac2f5`	decompressed-pdf-stream	PDF FlateDecoded stream at offset 0x74A1	13032 bytes
`font_00_sfnt_off000062b3.bin` `616f2a33e8220d339236f23729b00da504e458a9ac3f7cf5719561ba834228ea`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x62B3	5308 bytes
`font_02_sfnt_off00009624.bin` `77e8907dfa283e745f5f1f37ba773a21f4bebdbacc361a10a1abeca83bb64007`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x9624	15236 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.