PDF malware analysis — malicious · f6f9ec55fca2fa4a

MALICIOUS

PDF

35.7 KB Created: 2020-09-05 23:42:31 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)

MD5: 9d76c6e112baa0059cbaae96132c2488 SHA-1: 2c282ada1a1be86506ceadd1be95fb54893ce645 SHA-256: f6f9ec55fca2fa4ac453ec25031d3602c0dc56405bb78853aaa45c5f2ead95aa

150 Risk Score

Malware Insights

MITRE ATT&CK

T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF contains a link that redirects to a known malicious domain, likely intended to lure the user into clicking it. The document body, though heavily obfuscated, contains the text 'Calling bell sound effect' and the malicious URL, suggesting a social engineering pretext. The presence of numerous other PDF links, many hosted on Shopify and static.usrfiles.com, indicates a link farm strategy, potentially to obscure the malicious redirector.

Machine Learning

Nyx PDF Classifier malicious score 1.0000

Heuristics 3

PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK

PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM

Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://ttraff.link/wix?keyword=calling+bell+sound+effect
- https://cdn.shopify.com/s/files/1/0432/2482/6014/files/wukesunogew.pdf
- https://cdn.shopify.com/s/files/1/0431/8881/3988/files/94238238954.pdf
- https://cdn.shopify.com/s/files/1/0432/8731/4585/files/common_idioms_list_with_meanings.pdf
- https://static.usrfiles.com/ugd/834936_e7141f46679f4dbb9c5eed84159eb71d.pdf
- https://static.usrfiles.com/ugd/b8c837_0b59d6537ef348f5a778430726f63811.pdf
- https://static.usrfiles.com/ugd/72b0e7_398a3e9704b74bd0ad2ac47fc9e64431.pdf
- https://static.usrfiles.com/ugd/e9cba9_d10d7c2532af489e8f9607d6de69a4ea.pdf
- https://static.usrfiles.com/ugd/b8c837_5a19685ffd1140d99fbc63c84effa6a6.pdf
- https://static.usrfiles.com/ugd/3ab5ed_b9d338cead614deb91f4691cd25b647c.pdf
- https://static.usrfiles.com/ugd/607883_f525a6af41104053b55d56aba6e9360a.pdf
- https://static.usrfiles.com/ugd/ba3095_98e31b5a51d0437183c93972dc47bda8.pdf
- https://static.usrfiles.com/ugd/808d8c_9a47bddcb3f84ba4b1c636dbf3689e21.pdf
- https://static.usrfiles.com/ugd/87b9a8_706923d8f9b34bc6a0f1cf34b6de395d.pdf
- https://static.usrfiles.com/ugd/b8c837_9606e8de32fc4678b6a6a434a3988853.pdf
- https://static.usrfiles.com/ugd/838e7e_3509bc813dfa46a291906de57a7b00dc.pdf
- https://static.usrfiles.com/ugd/8acad3_ffefcb0907cd4b569460a6f75bb6eac4.pdf
- https://static.usrfiles.com/ugd/03ae60_8f703f867e6d43928ddbccfcee725031.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off00004f33.bin` `f88ec206428684538f0563bf918f5a7d596b6be5c4802aba0daac63133b4afe5`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x4F33	5136 bytes
`font_01_sfnt_off000060bd.bin` `7a0f1f955fb9e61ffa23ce969aae4fa1919afbed9ba82b01d21e74796e55eacf`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x60BD	9796 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.