PDF malware analysis — malicious · e0cb5c62d75b0711

MALICIOUS

PDF

70.8 KB Created: 2020-08-06 18:18:58 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)

MD5: a65a7cdc48fab497a445bb1436757767 SHA-1: a64c703e01882f063e92c54549e9b4ee55495352 SHA-256: e0cb5c62d75b0711b6732b608c82b69d638f8383aaad3704358cc51af7b59c3d

150 Risk Score

Malware Insights

MITRE ATT&CK

T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF file contains a link that redirects to malicious infrastructure, as indicated by the PDF_MALICIOUS_REDIRECTOR_LINK heuristic. The document body, though heavily obfuscated, contains the URL 'https://ttraff.cc/pify?keyword=credit+risk+management+pdf+free+download', which is likely intended to lure users into downloading further malicious content. The PDF also hosts a large number of external links, suggesting a link farm for SEO manipulation, as flagged by PDF_SEO_LINK_FARM.

Machine Learning

Nyx PDF Classifier malicious score 1.0000

Heuristics 3

PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK

PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM

Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://ttraff.cc/pify?keyword=credit+risk+management+pdf+free+download
- http://files.blueribbonhomeimprovementinc.com/uploads/1/3/0/7/130776298/pofumuroba.pdf
- http://files.briankerr3d.com/uploads/1/3/1/3/131381452/zezoforunixov.pdf
- http://files.kalbproject.com/uploads/1/3/1/8/131871390/vuzexevonovigam.pdf
- https://cdn.shopify.c
- https://cdn.shopify.com/s/files/1/0430/6403/3429/files/keduvagisoxem.pdf
- https://cdn.shopify.com/s/files/1/0434/8428/3033/files/92601123105.pdf
- https://cdn.shopify.com/s/files/1/0433/8683/0998/files/50443410667.pdf
- https://cdn.shopify.com/s/files/1/0434/4355/2416/files/xodag.pdf
- https://cdn.shopify.com/s/files/1/0430/8857/6661/files/nunox.pdf
- https://cdn.shopify.com/s/files/1/0432/0028/2783/files/xbox_360_save_editor.pdf
- https://cdn.shopify.com/s/files/1/0429/9590/8761/files/29333578333.pdf
- https://cdn.shopify.com/s/files/1/0431/1570/8573/files/88219191183.pdf
- https://cdn.shopify.com/s/files/1/0437/6972/5085/files/unir_archivos_online_sin_limite.pdf
- https://cdn.shopify.com/s/files/1/0428/5900/4070/files/vebabexumiromexubarokan.pdf
- https://cdn.shopify.com/s/files/1/0431/5830/6965/files/24936860345.pdf
- https://cdn.shopify.com/s/files/1/0430/1085/0979/files/tuwivelavakok.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 3

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off0000c9c0.bin` `57b36ea03135a4a81f6ce9e1d61945d7efb42fc966c9bd2dae336ba3580cc8fb`	pdf-font-stream	PDF embedded font (sfnt) at offset 0xC9C0	5328 bytes
`font_01_sfnt_off0000dbe1.bin` `e27c59b65d24a45d181c3d09c0747aab60f3f28cc39a9a0fd6d619cae09ddfd8`	pdf-font-stream	PDF embedded font (sfnt) at offset 0xDBE1	10500 bytes
`font_02_sfnt_off0000ffd4.bin` `ff5f0ef16caf3e97cd1984b3a03ea88e11eab8cf63d2ee006085a4b9995833f3`	pdf-font-stream	PDF embedded font (sfnt) at offset 0xFFD4	4324 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.