PDF malware analysis — malicious · 219050a92a61ba4f

MALICIOUS

PDF

44.4 KB Created: 2020-08-22 13:18:03 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)

MD5: c4509f6c4edc837a65303c37c6f0deb9 SHA-1: d5d862cbb55b21e899233c17d9e7f6788db5a6fa SHA-256: 219050a92a61ba4f09ce38474b2e5a3b8efe7e509ce0484453422fbdbef3f435

128 Risk Score

Malware Insights

MITRE ATT&CK

T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF contains a prominent link that redirects to a malicious URL, disguised with a lure related to 'Toeic answer sheet sample pdf'. This indicates a phishing or scam attempt. The PDF also hosts a large number of external links, many pointing to Shopify, suggesting a link farm used for SEO poisoning or distributing malicious content. No scripts were extracted from this sample.

Heuristics 4

PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK

PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM

Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTON

Document contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://ttraff.com/pify?keyword=toeic+answer+sheet+sample+pdf
- http://files.k12onlinecurriculum.com/uploads/1/3/0/7/130739377/4882555.pdf
- https://cdn.shopify.com/s/files/1/0432/2865/9880/files/8354549221.pdf
- https://cdn.shopify.com/s/files/1/0435/5447/2087/files/86871243938.pdf
- https://cdn.shopify.com/s/files/1/0430/4211/1637/files/65857528340.pdf
- https://cdn.shopify.com/s/files/1/0435/8835/4207/files/fuloluluzi.pdf
- https://cdn.shopify.com/s/files/1/0431/3186/3202/files/82970171525.pdf
- https://cdn.shopify.com/s/files/1/0437/7175/6698/files/john_deere_4410.pdf
- https://cdn.shopify.com/s/files/1/0430/8133/4935/files/24101322724.pdf
- https://cdn.shopify.com/s/files/1/0431/0705/7825/files/cajamarca_turismo.pdf
- https://cdn.shopify.com/s/files/1/0435/3441/8075/files/azure_active_directory.pdf
- https://cdn.shopify.com/s/files/1/0430/3329/7058/files/academic_writing_sample.pdf
- https://cdn.shopify.com/s/files/1/0433/4111/9653/files/65515741536.pdf
- https://cdn.shopify.com/s/files/1/0430/8893/7120/files/93412878341.pdf
- https://cdn.shopify.com/s/files/1/0427/6797/4556/files/77965322131.pdf
- https://cdn.shopify.com/s/files/1/0448/4795/6130/files/wazoxakovatexofetegelunil.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 3

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off00005a7d.bin` `8d98ac8816f1868d084d656d4874f6fc835ae8c9648a8f77d80e0efa541c1348`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x5A7D	5436 bytes
`font_01_sfnt_off00006cd5.bin` `09c3f80a2d29e2cf038049c23d186043a4cf634411d15b352ddd7529feb4dfca`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x6CD5	10176 bytes
`font_02_sfnt_off00008fd3.bin` `9e1271d681207e96fe60c94df920a27091a957dc81e2614e9e6235263a34fce6`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x8FD3	16068 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.