PDF malware analysis — malicious · ecbf7ccc798d0a82

MALICIOUS

PDF

41.4 KB Created: 2020-08-15 17:47:16 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)

MD5: be13f92338eaaae78d8ad22c90582203 SHA-1: d906144f9428a15bf2b1de4b6dd21f467835c16a SHA-256: ecbf7ccc798d0a82d06bb916d62f8e5db8df7b4de17a7170dd947f1a4a32fcfb

150 Risk Score

Malware Insights

MITRE ATT&CK

T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF contains a large number of embedded links, many of which point to a link farm hosted on cdn.shopify.com, and one critical link redirects to a known malicious URL. This indicates a phishing or scam attempt designed to drive traffic to malicious infrastructure. The ML classifier also strongly flagged this PDF as malicious.

Machine Learning

Nyx PDF Classifier malicious score 1.0000

Heuristics 3

PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK

PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM

Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://ttraff.cc/wb?keyword=american%20english%20file%203%20pdf%20gratis
- http://files.bookhivebeerclub.com/uploads/1/3/0/9/130969910/f65beae6b726.pdf
- http://files.surviveessentially.com/uploads/1/3/2/6/132681315/69d67f.pdf
- http://pojipef.forensic-audit.org/uploads/1/3/1/8/131871980/rulanesirux.pdf
- http://ziwoval.slotattoo.com/uploads/1/3/1/8/131857334/xajixapidonixibudego.pdf
- http://files.karenfornes.com/uploads/1/3/0/7/130738644/rovixoxu_wupovanofagumo_bamimo.pdf
- https://cdn.shopify.com/s/files/1/0435/6793/9743/files/36159901828.pdf
- https://cdn.shopify.com/s/files/1/0433/9066/4860/files/ketojunal.pdf
- https://cdn.shopify.com/s/files/1/0436/6431/0425/files/big_little_farmer_apk_mod_free.pdf
- https://cdn.shopify.com/s/files/1/0430/2431/8618/files/onlinemeded_intern_guide.pdf
- https://cdn.shopify.com/s/files/1/0428/9835/8432/files/47184882359.pdf
- https://cdn.shopify.com/s/files/1/0439/7518/0446/files/38972050814.pdf
- https://cdn.shopify.com/s/files/1/0432/3255/9267/files/fazigijifu.pdf
- https://cdn.shopify.com/s/files/1/0429/8476/7641/files/43533513526.pdf
- https://cdn.shopify.com/s/files/1/0429/8326/0314/files/anti_bribery_management_system.pdf
- https://cdn.shopify.com/s/files/1/0429/5763/5735/files/mugekavalaxufuvetukifuku.pdf
- https://cdn.shopify.com/s/files/1/0435/5542/2369/files/44689175326.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 3

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off00004b43.bin` `1312e7e38c3d5c8ee3082ea17746ecbffcace52bf1162a900a1e012de0aacde1`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x4B43	5400 bytes
`font_01_sfnt_off00005d59.bin` `a14e3613ee24880fb33249c1fa12e0f4b773b44a4dd6860e680e2659c346eabf`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x5D59	13940 bytes
`font_02_sfnt_off00008858.bin` `1158d95dac44631f497756703988ba3645251422e7ff0015d3fca430225e7c3e`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x8858	4324 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.