PDF malware analysis — malicious · 239810578a168970

MALICIOUS

PDF

101.4 KB Created: 2020-09-10 21:53:51 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)

MD5: bf48ce3a370b49f73d8193d15dffdacb SHA-1: 78c08b99d8153b3afd75fe36e232694200411f5f SHA-256: 239810578a168970503b243a698dc9410bb39ee275e4f85e267ad963a2c16f05

128 Risk Score

Malware Insights

MITRE ATT&CK

T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF contains multiple embedded links, with one specifically identified as a malicious redirector. The heuristic 'SE_INVOICE_LURE' suggests the document's content is designed to trick the user into clicking the malicious link, likely for a phishing or scam attempt. The presence of numerous links to external PDFs, as indicated by 'PDF_SEO_LINK_FARM', further supports a malicious intent to drive traffic to potentially harmful sites.

Heuristics 4

PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK

PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM

Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
Fake invoice / payment lure low SE_INVOICE_LURE

Document contains invoice or payment language paired with an action verb — useful context when combined with link, macro, or attachment indicators
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://ttraff.ru/wix?keyword=avoidance+strategy+pdf
- https://static.usrfiles.com/ugd/26938b_5bf71b0ea975408fb045dc802fd3fa34.pdf
- https://static.usrfiles.com/ugd/0f9ef0_7ff8e8ed8c004aecacb42e22158f85d0.pdf
- https://static.usrfiles.com/ugd/37987b_4823a1fefbb3421b90da4c522d1f6c3f.pdf
- https://static.usrfiles.com/ugd/eed56f_7996b79d4fc14970b6a0f6c967b424f4.pdf
- https://static.usrfiles.com/ugd/34e21e_dc9b7f9e6b4749ac99eacf0b0c53ab00.pdf
- https://static.usrfiles.com/ugd/a31856_f8622cd3a7ed432298df0e5a70691a96.pdf
- https://static.usrfiles.com/ugd/538d67_7a21757565e74b0b9dd544d3e18dacbc.pdf
- https://static.usrfiles.com/ugd/c0a468_63863c11760c47f7a59193c1dca73c47.pdf
- https://static.usrfiles.com/ugd/0511f5_e69d041b5a9e4493841ce8ce71641d0e.pdf
- https://static.usrfiles.com/ugd/83e24f_f73a8e1d98b04e95b09a9be5a6593015.pdf
- https://static.usrfiles.com/ugd/784815_c3570c8112424150bc410ff66ab298bf.pdf
- https://static.usrfiles.com/ugd/516793_91df332b7bc446c3901a9f379e9897fc.pdf
- https://static.usrfiles.com/ugd/2ca09c_89b56d115b174fbc834e4f7796750bbe.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 3

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off00014472.bin` `31a62e72c4ad911db210fffb98051cd3d0f019626971edab9578722c67a9394e`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x14472	5232 bytes
`font_01_sfnt_off00015659.bin` `56ba8572159878d9d5256077d05798bd5bb1b4c9a0605ff4abb00be1b3f59c95`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x15659	10616 bytes
`font_02_sfnt_off00017a91.bin` `0d0f64e27578eb124b8bc81c7eceacdd166e22eddd95c81328e9fbd7de2a6333`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x17A91	4324 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.