PDF malware analysis — malicious · 22cef1e537db7bc7

MALICIOUS

PDF

60.5 KB Created: 2020-09-01 18:29:25 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)

MD5: 4d6411fb7a7f20e6b74c5654f25ba963 SHA-1: 6fa685e4fa326356cad73f2e520342d0b964f307 SHA-256: 22cef1e537db7bc7cb973ca58a34eefe2b3070937ca6ae658a610d31fad8356c

120 Risk Score

Malware Insights

MITRE ATT&CK

T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF contains multiple embedded links, with one specifically pointing to a known malicious redirector. The document body, though heavily obfuscated, contains the target URL and references to other benign-looking PDF files hosted on Shopify. This suggests a lure to trick users into clicking malicious links, likely for phishing or malware delivery.

Heuristics 3

PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK

PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM

Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://ttraff.club/wix?keyword=caerleon+comprehensive+school+estyn+report
- https://cdn.shopify.com/s/files/1/0436/4946/6526/files/bofemuzewevunetuwajepot.pdf
- https://cdn.shopify.com/s/files/1/0465/3862/1087/files/ux_information_architecture_template.pdf
- https://cdn.shopify.com/s/files/1/0438/3876/7266/files/xipuwuv.pdf
- https://cdn.shopify.com/s/files/1/0430/9496/6436/files/goodman_air_conditioning_manual.pdf
- https://cdn.shopify.com/s/files/1/0448/1184/5793/files/air_compressor_inlet_guide_vane.pdf
- https://cdn.shopify.com/s/files/1/0440/7204/2661/files/95675914234.pdf
- https://cdn.shopify.com/s/files/1/0434/5020/4327/files/kendrick_lamar_section._80_torrent.pdf
- https://static.usrfiles.com/ugd/d5d855_fb7eaa4cb6b34e35a79f18a7253c4b94.pdf
- https://static.usrfiles.com/ugd/d78803_b1e3a0c0adb94e7286e4ac3257ea3487.pdf
- https://static.usrfiles.com/ugd/b8c837_66510327cdb34ea39dd840bf1933f4ff.pdf
- https://static.usrfiles.com/ugd/2ddd39_617313c67f814de08b4341904ca7a459.pdf
- https://static.usrfiles.com/ugd/b8c837_601bd766f9cf48d49a9be0e25766fe9d.pdf
- https://static.usrfiles.com/ugd/b8c837_0992f025c53541fca04e5c472a853b50.pdf
- https://static.usrfiles.com/ugd/18f527_174e952bde954d01b8756b3a36438d37.pdf
- https://static.usrfiles.com/ugd/7f929b_03e1dcf2399c4cf78b2387b5ab3b46a0.pdf
- https://static.usrfiles.com/ugd/5926b4_25ddb7ecf23f495c8f3c58386b45634f.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 3

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off000097ad.bin` `a48d22fddad769174f6cc2006f0bb329dd603d48a9a2adfad7e6325620a2dc0f`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x97AD	3036 bytes
`font_01_sfnt_off0000a276.bin` `1e9919d0a28ffa8b5cdedc527ed3441c87ad81865dfc0e0ad84877fd4166e0ca`	pdf-font-stream	PDF embedded font (sfnt) at offset 0xA276	5240 bytes
`font_02_sfnt_off0000b426.bin` `52d401ce26129ec726ce1aaf2206bf79f3990bb9ddf32094b7448c8c3e381067`	pdf-font-stream	PDF embedded font (sfnt) at offset 0xB426	15748 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.