PDF malware analysis — malicious · f60210397dad7460

MALICIOUS

PDF

44.3 KB Created: 2020-08-09 15:09:22 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)

MD5: a10b57a7b466546f9836aa16d60ccd6a SHA-1: 43f2b9378acbafde1d5599ed98b8d583967d3b95 SHA-256: f60210397dad74603061a92c867cc1f3cd03e4291b2d2a0bb92ad3b6c1e0cb5d

150 Risk Score

Malware Insights

MITRE ATT&CK

T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF contains a large number of embedded links, many pointing to Shopify domains, but one critical link directs to a known malicious redirector. The document body, though heavily obfuscated, contains text related to 'Past tense simple and continuous worksheets pdf' and includes the malicious URL. This suggests a social engineering lure to drive traffic to malicious infrastructure, likely for further exploitation or malware delivery.

Machine Learning

Nyx PDF Classifier malicious score 1.0000

Heuristics 3

PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK

PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM

Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://ttraff.cc/pify?keyword=past+tense+simple+and+continuous+worksheets+pdf
- http://files.newholocaustliterature.com/uploads/1/3/2/7/132740339/jidakonizawofuboxuzo.pdf
- http://files.brickhouseroofing.com/uploads/1/3/2/7/132740892/2969378.pdf
- http://dokopo.jrestrada.com/uploads/1/3/1/3/131383791/pumokuro.pdf
- http://files.saadiqlarue.com/uploads/1/3/1/4/131453456/a1c42e0.pdf
- http://files.rasaddleclublarkhill.com/uploads/1/3/0/8/130874360/wugotani.pdf
- https://cdn.shopify.com/s/files/1/0440/9743/7848/files/noxevubosaxezoloxufap.pdf
- https://cdn.shopify.com/s/files/1/0428/9835/8432/files/52733892229.pdf
- https://cdn.shopify.com/s/files/1/0428/5975/7734/files/40469295576.pdf
- https://cdn.shopify.com/s/files/1/0433/0687/7080/files/wemulaw.pdf
- https://cdn.shopify.com/s/files/1/0432/8354/6267/files/zekibalilosaz.pdf
- https://cdn.shopify.com/s/files/1/0432/3944/0543/files/gidejojulere.pdf
- https://cdn.shopify.com/s/files/1/0428/1974/7999/files/fibababuwozafisuvir.pdf
- https://cdn.shopify.com/s/files/1/0430/0088/9507/files/pifata.pdf
- https://cdn.shopify.com/s/files/1/0427/9074/8316/files/wabobakasefelez.pdf
- https://cdn.shopify.com/s/files/1/0429/9885/7891/files/36316216581.pdf
- https://cdn.shopify.com/s/files/1/0437/3191/0821/files/clicker_heroes_hacks.pdf
- https://cdn.shopify.com/s/files/1/0428/9835/8432/files/30553092986.pdf
- https://cdn.shopify.com/s/files/1/0434/0423/0805/files/mafesowawetejitedo.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off00006e7c.bin` `5bd08c1ac73de946914d407d93b7f09c47731585d58d9baf62e02db2d067242f`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x6E7C	5552 bytes
`font_01_sfnt_off00008142.bin` `09038c32eaab0b56235ed99a3efe8d848aeec5598b7862db303f2904a881109e`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x8142	10084 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.