PDF malware analysis — malicious · f603d45295607bea

MALICIOUS

PDF

41.8 KB Created: 2020-08-18 19:24:09 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)

MD5: ab9b6cbe40038f3754745f8c41498456 SHA-1: 2cd9e1cdb5f1ee3b53b12bcbeeeb70bd4716a199 SHA-256: f603d45295607beadbf34338bb05fe7e23499a7e7377b23b87160eea49bcd0a4

150 Risk Score

Malware Insights

MITRE ATT&CK

T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF contains a large number of embedded links, many pointing to Shopify domains, but one critical link directs to a known malicious redirector. The document body, though heavily obfuscated, contains the malicious URL and references to a 'size guide', suggesting a lure to trick users into visiting the malicious site. The ML classifier strongly indicates maliciousness, and the PDF structure is consistent with link-farming and redirection techniques.

Machine Learning

Nyx PDF Classifier malicious score 1.0000

Heuristics 3

PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK

PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM

Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://ttraff.ru/pify?keyword=cp+company+hat+size+guide
- http://files.conniedillon.com/uploads/1/3/2/6/132681164/7935875.pdf
- http://files.cristinanoelfrias.com/uploads/1/3/1/3/131398406/e073a9f12e.pdf
- http://files.wickenburgbootsbreastcancer.org/uploads/1/3/1/4/131406075/xibuzafa-noviresosof-luvibabiw-tefifigigi.pdf
- https://cdn.shopify.com/s/files/1/0428/6965/3663/files/nuguguposorak.pdf
- https://cdn.shopify.com/s/files/1/0436/5221/9030/files/arquitectura_sustentable.pdf
- https://cdn.shopify.com/s/files/1/0429/5737/3589/files/77525283176.pdf
- https://cdn.shopify.com/s/files/1/0435/7259/2801/files/gowudorisetuvujufa.pdf
- https://cdn.shopify.com/s/files/1/0429/9636/7511/files/87848771575.pdf
- https://cdn.shopify.com/s/files/1/0432/0722/9597/files/12222195752.pdf
- https://cdn.shopify.com/s/files/1/0437/2630/7480/files/xijodanitovosalosazedum.pdf
- https://cdn.shopify.com/s/files/1/0432/7240/5157/files/17829580684.pdf
- https://cdn.shopify.com/s/files/1/0428/3917/9420/files/tuluribatis.pdf
- https://cdn.shopify.com/s/files/1/0430/0813/1233/files/14525783740.pdf
- https://cdn.shopify.com/s/files/1/0430/4489/6925/files/nadaradupuw.pdf
- https://cdn.shopify.com/s/files/1/0431/3264/9636/files/calendario_365._es_2020.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 3

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off00005800.bin` `19d87eecb74b5a34688253da9e80a5f96cc31907e539f68295aaece199fffb73`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x5800	5416 bytes
`font_01_sfnt_off00006a45.bin` `12c1e347b44be2f6e03db6780a32e359fb119e0f8b5522f8025fc26a372b3ab5`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x6A45	9980 bytes
`font_02_sfnt_off00008c65.bin` `d1f4a20f0e35a0564be54678b929bb8c711862c507f070c2b9a6abea8daf4378`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x8C65	4324 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.