PDF malware analysis — malicious · 1be373dd3efea4c4

MALICIOUS

PDF

46.6 KB Created: 2020-08-19 03:49:12 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)

MD5: 7c9b8f457bc7daadc61bb9ac5cd6a8be SHA-1: 6e2cb2df63e4ac5774bff8af65fe1b8dd9cfcd4b SHA-256: 1be373dd3efea4c4a19f6fadf6f5253a4ad8409b8cda0b81ddfecb3fcc587185

120 Risk Score

Malware Insights

MITRE ATT&CK

T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF file contains numerous links, including one pointing to a known malicious redirector at 'https://ttraff.cc/pify?keyword=google+sheets+excel+filter'. This redirector is likely used to obscure the final malicious destination. The document's content and the presence of many external links suggest a social engineering attempt to drive traffic to malicious infrastructure, possibly for phishing or malware distribution.

Heuristics 3

PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK

PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM

Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://ttraff.cc/pify?keyword=google+sheets+excel+filter
- http://files.wayne-badminton.com/uploads/1/3/1/3/131384359/9068208.pdf
- http://files.kelownaplumbingsolutions.com/uploads/1/3/1/3/131398156/vudejinu-kedav-benosagulita.pdf
- http://rajiputo.mrjonesteach.com/uploads/1/3/0/9/130969060/nijuzijelirep.pdf
- https://cdn.shopify.com/s/files/1/0431/9356/5342/files/pababadu.pdf
- https://cdn.shopify.com/s/files/1/0428/9835/8432/files/53293114795.pdf
- https://cdn.shopify.com/s/files/1/0428/9114/9471/files/valusijuriz.pdf
- https://cdn.shopify.com/s/files/1/0436/3137/8592/files/xixexutoriniw.pdf
- https://cdn.shopify.com/s/files/1/0429/2434/3462/files/adjective_worksheet_grade_2.pdf
- https://cdn.shopify.com/s/files/1/0437/5461/9041/files/lakit.pdf
- https://cdn.shopify.com/s/files/1/0427/9202/6271/files/jisoravug.pdf
- https://cdn.shopify.com/s/files/1/0428/4357/0343/files/67297407613.pdf
- https://cdn.shopify.com/s/files/1/0449/4170/5384/files/architecture_diagram_of_8051.pdf
- https://cdn.shopify.com/s/files/1/0432/6745/7188/files/spatial_data_analysis_by_example.pdf
- https://cdn.shopify.com/s/files/1/0428/2312/3100/files/gosofasukifa.pdf
- https://cdn.shopify.com/s/files/1/0437/3712/0933/files/pazita.pdf
- https://cdn.shopify.com/s/files/1/0433/8761/7436/files/98896837934.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 3

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off00006b8c.bin` `4094fd89c7783505860c56734f14c27582fe8ac4230a96d3502a088ee0f79da1`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x6B8C	4712 bytes
`font_01_sfnt_off00007bb9.bin` `39568a10ecedf74565980123a172d966e04244e215cca706cd5d1ba4d60d49a1`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x7BB9	10472 bytes
`font_02_sfnt_off00009f9f.bin` `7f6049e5011acf0e8581793f2bc2bb947aac2929fdb77abc318b2a6155c1ef71`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x9F9F	4324 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.