PDF malware analysis — malicious · 1df8c9be683d48a3

MALICIOUS

PDF

58.8 KB Created: 2020-08-21 16:20:46 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)

MD5: da1563f1b9f7a4b0454c405d36e03670 SHA-1: 18e28852876a7db221589ca97a1826a6f68861ee SHA-256: 1df8c9be683d48a39ef893067ebc408112c41338779a2d9c5a73299773c9a8c3

128 Risk Score

Malware Insights

MITRE ATT&CK

T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF contains a malicious redirector link that is disguised as a download button. The link leads to a URL that is part of a link farm, ultimately serving a PDF file. The presence of a malicious redirector and a link farm indicates a phishing or social engineering attempt to trick the user into downloading potentially malicious content.

Heuristics 4

PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK

PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM

Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTON

Document contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://ttraff.cc/pify?keyword=print+at+home+business+card+template+free
- http://files.blossmmms.com/uploads/1/3/0/9/130969699/xegotesajasiged-tibavipifet-dumafopi.pdf
- http://bemajirod.belizesportsoutreach.com/uploads/1/3/0/7/130775166/fapomi.pdf
- http://files.harpshouse.com/uploads/1/3/1/0/131069978/dapedasojemofegalitu.pdf
- http://files.daventrydogtrainingclub.com/uploads/1/3/0/8/130873973/6745225.pdf
- https://cdn.shopify.com/s/files/1/0432/0762/2824/files/xakixelunafuron.pdf
- https://cdn.shopify.com/s/files/1/0431/0653/3525/files/45033440714.pdf
- https://cdn.shopify.com/s/files/1/0430/4686/3005/files/13794551908.pdf
- https://cdn.shopify.com/s/files/1/0434/0059/3557/files/construction_scope_of_work_template_excel.pdf
- https://cdn.shopify.com/s/files/1/0439/8612/4958/files/avestan_language.pdf
- https://cdn.shopify.com/s/files/1/0430/1121/1417/files/ceqa_guidelines_2020.pdf
- https://cdn.shopify.com/s/files/1/0434/1946/7927/files/83180685207.pdf
- https://cdn.shopify.com/s/files/1/0433/7732/8278/files/stacked_bar_chart_python.pdf
- https://cdn.shopify.com/s/files/1/0434/0118/3384/files/sutenomixegudalaxen.pdf
- https://cdn.shopify.com/s/files/1/0428/9835/8432/files/32177526878.pdf
- https://cdn.shopify.com/s/files/1/0433/8312/8214/files/94936359129.pdf
- https://cdn.shopify.com/s/files/1/0428/4809/2323/files/rupelonibadukig.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off0000a7d2.bin` `79b3226505a30c75eba1e3ab794c019988dfe3862c78183e497a4556d9c67267`	pdf-font-stream	PDF embedded font (sfnt) at offset 0xA7D2	5536 bytes
`font_01_sfnt_off0000ba66.bin` `748bd48b14b0cdd29834510c8f9181469e848a9a891d2b923087a86994dcddec`	pdf-font-stream	PDF embedded font (sfnt) at offset 0xBA66	10296 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.