PDF malware analysis — malicious · e5d0e26218649679

MALICIOUS

PDF

53.9 KB Created: 2020-08-13 22:31:59 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)

MD5: b1f6350a25e9956431dbf14b57c8cd39 SHA-1: 7f6eca24113a1a5def3d209c5d6ecba6507f44b7 SHA-256: e5d0e2621864967945c142befe0b69ba272e900df0ab59c1a371f022b3256deb

152 Risk Score

Malware Insights

MITRE ATT&CK

T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF contains a mass external link farm, with one critical link pointing to a known malicious redirector. The ML classifier also strongly indicated maliciousness. The document body, though heavily obfuscated, contains the malicious URL which is likely intended to lead the user to a phishing or malware distribution site.

Machine Learning

Nyx PDF Classifier malicious score 1.0000

Heuristics 3

PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK

PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM

Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://ttraff.cc/pify?keyword=smith+canonical+form
- http://files.englishappliedlinguistics.com/uploads/1/3/2/6/132681144/sevomotitu.pdf
- http://sesefupi.wembdon-sunshiners.co.uk/uploads/1/3/0/8/130814297/9874719.pdf
- http://files.greatnatureom.com/uploads/1/3/1/3/131398279/58e1c2a55f.pdf
- https://cdn.shopify.com/s/files/1/0434/6255/7856/files/rofonemo.pdf
- https://cdn.shopify.com/s/files/1/0438/3437/6352/files/cds_2_2020_syllabus_download.pdf
- https://cdn.shopify.com/s/files/1/0432/8561/0654/files/pidiparu.pdf
- https://cdn.shopify.com/s/files/1/0429/7257/7946/files/44505605648.pdf
- https://cdn.shopify.com/s/files/1/0436/9648/8613/files/penorenutamozo.pdf
- https://cdn.shopify.com/s/files/1/0431/7921/2959/files/fakojezefumapem.pdf
- https://cdn.shopify.com/s/files/1/0434/0423/0805/files/partitura_de_hey_jude_para_saxo_alto_en.pdf
- https://cdn.shopify.com/s/files/1/0431/4444/6118/files/andreas_moritz_espaol.pdf
- https://cdn.shopify.com/s/files/1/0432/0513/2456/files/90893219756.pdf
- https://cdn.shopify.com/s/files/1/0437/9072/9377/files/como_sacar_tu_certificado_de_secundaria_en.pdf
- https://cdn.shopify.com/s/files/1/0440/6912/6309/files/29996296492.pdf
- https://cdn.shopify.com/s/files/1/0436/6984/8217/files/eos_70d_user_manual.pdf
- https://cdn.shopify.com/s/files/1/0432/8616/7702/files/sosutapazapujogozozen.pdf
- https://cdn.shopify.com/s/files/1/0433/0687/7080/files/tutokufumetuja.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 3

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off00007899.bin` `2baa4b5631e8ce5b7cc2d59ad7234c4b07437e8ea3c0c01b2435f5c3966bb019`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x7899	5044 bytes
`font_01_sfnt_off0000898d.bin` `132c8d091f2aea07d320a9b318a2e0afe6501dee79616ea7d5b5201dcfa81afc`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x898D	13124 bytes
`font_02_sfnt_off0000b3cf.bin` `7ae9ab78a93a53415642ac55f7ceb97e489e9166218561962f366efcd0fc1746`	pdf-font-stream	PDF embedded font (sfnt) at offset 0xB3CF	16380 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.