PDF malware analysis — malicious · e5d7d13d73b621cf

MALICIOUS

PDF

62.3 KB Created: 2020-09-19 06:22:14 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)

MD5: b78322de59635caf32d71e9d05e6c74b SHA-1: a31837415249d29a883fa3baee275f8a728bf43b SHA-256: e5d7d13d73b621cf3fc3de4bae018cbcce7edcd02fe1c79dcf9f981ee709ffbf

150 Risk Score

Malware Insights

MITRE ATT&CK

T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF contains a link that redirects to a malicious domain, disguised as a product manual. This is further supported by heuristics indicating a malicious redirector and a link farm. The document body contains the lure text and the malicious URL. The primary attack pattern involves social engineering to trick the user into visiting a harmful site.

Machine Learning

Nyx PDF Classifier malicious score 1.0000

Heuristics 3

PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK

PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM

Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://ttraff.club/wix?keyword=hotpoint+microwave+mwh2021x+manual
- https://cdn.shopify.com/s/files/1/0432/3406/6594/files/tixosixar.pdf
- https://cdn.shopify.com/s/files/1/0429/6150/2362/files/transcription_and_translation_worksheet_answers.pdf
- https://cdn.shopify.com/s/files/1/0433/0536/9758/files/87888388571.pdf
- https://cdn.shopify.com/s/files/1/0434/5623/3638/files/capital_expenditure_example_forms.pdf
- https://cdn.shopify.com/s/files/1/0431/0056/9766/files/phonics_activity_sheets_for_grade_1.pdf
- https://adf9501e-0572-478e-92af-4718a4518400.filesusr.com/ugd/a467d2_0d90ae70cd2c48d4b66eda26b4a506fd.pdf?index=true
- https://67eba2c6-5850-4901-90b8-4a49ab5236b6.filesusr.com/ugd/fe83c3_35c8ab26ec2c424abe6fdaf8e7912edc.pdf?index=true
- https://cdn.shopify.com/s/files/1/0432/1725/6603/files/jiwurone.pdf
- https://cdn.shopify.com/s/files/1/0429/4151/3894/files/arthralgia_adalah.pdf
- https://cdn.shopify.com/s/files/1/0434/2513/6792/files/plural_form_of_apparatus.pdf
- https://cdn.shopify.com/s/files/1/0485/9507/5237/files/pedagogy_of_the_oppressed_full.pdf
- https://cdn.shopify.com/s/files/1/0427/7898/4614/files/80949657008.pdf
- https://cdn.shopify.com/s/files/1/0433/6225/5006/files/wofotivo.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 4

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off00009f02.bin` `06feb1586ed41b2d7af07f998141cd6f00a7996356e452280bb39de15bec59ce`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x9F02	5384 bytes
`font_01_sfnt_off0000b12e.bin` `e9ebce594203a4bb232487ece3f826d2886baa33da1a593924d54467060bbf05`	pdf-font-stream	PDF embedded font (sfnt) at offset 0xB12E	2156 bytes
`font_02_sfnt_off0000ba9a.bin` `f146a47139b17a588c2475f9ce46c8b3dc25dda816524ebadb1973716d20d75b`	pdf-font-stream	PDF embedded font (sfnt) at offset 0xBA9A	10256 bytes
`font_03_sfnt_off0000ddaf.bin` `cd94ef65598b1866d0653cdd88243d989fd81359c0e770c2d3a4858f1c2f6d34`	pdf-font-stream	PDF embedded font (sfnt) at offset 0xDDAF	4324 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.