PDF malware analysis — malicious · 27059e64f0d36e30

MALICIOUS

PDF

66.8 KB Created: 2020-08-18 19:49:47 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)

MD5: 487aaea5750c9c5578d13a819f176a28 SHA-1: afd1f14064f2bb921104a5a7e578515bada78c59 SHA-256: 27059e64f0d36e3072c46e1957b7a0d228b88551e3ae5bdfc9becbe2c21a96e0

128 Risk Score

Malware Insights

MITRE ATT&CK

T1566.002 Spearphishing Attachment T1204.001 User Execution: Malicious Link T1059.001 PowerShell

The PDF contains a link that redirects to a known malicious domain, identified by the PDF_MALICIOUS_REDIRECTOR_LINK heuristic. The PDF also contains a large number of external links, suggesting a link farm for SEO manipulation, as indicated by the PDF_SEO_LINK_FARM heuristic. The embedded URL points to a redirector that ultimately leads to a page related to 'mitosis and meiosis amoeba sisters worksheet', likely a lure to entice clicks. The SE_DOWNLOAD_BUTTON heuristic further supports the idea of a deceptive call-to-action.

Heuristics 4

PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK

PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM

Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTON

Document contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://ttraff.ru/pify?keyword=mitosis+and+meiosis+amoeba+sisters+worksheet
- http://files.rollepodiatry.co.uk/uploads/1/3/0/8/130874585/e09b5de7bb0.pdf
- https://cdn.shopify.com/s/files/1/0433/0687/7080/files/jufozigazagapuji.pdf
- https://cdn.shopify.com/s/files/1/0433/0687/7080/files/gifizazuxapi.pdf
- https://cdn.shopify.com/s/files/1/0439/0263/2104/files/basilea_1_2_3_4_en_pdf.pdf
- https://cdn.shopify.com/s/files/1/0433/8234/1781/files/kazufaluresagu.pdf
- https://cdn.shopify.com/s/files/1/0428/5467/8687/files/gejir.pdf
- https://cdn.shopify.com/s/files/1/0446/6540/5603/files/que_es_el_briefing.pdf
- https://cdn.shopify.com/s/files/1/0435/6007/5427/files/42077640802.pdf
- https://cdn.shopify.com/s/files/1/0429/6998/9279/files/sixemefekogulizamexi.pdf
- https://cdn.shopify.com/s/files/1/0431/1754/3588/files/helicobacter_pylori_diagnostico_y_tratamiento.pdf
- https://cdn.shopify.com/s/files/1/0433/9728/3992/files/basic_c_programs_for_practice.pdf
- https://cdn.shopify.com/s/files/1/0438/2484/0861/files/ley_de_arbitraje_en_colombia.pdf
- https://cdn.shopify.com/s/files/1/0439/1796/7528/files/87545817753.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off0000c928.bin` `030e725ea5a8664a17fcdc3c0c5bc3c7c36a39468b2d8d804b1d1abddc23a2b6`	pdf-font-stream	PDF embedded font (sfnt) at offset 0xC928	5332 bytes
`font_01_sfnt_off0000db30.bin` `f147b2fc23260edf8a554efcba75affe04dea0ff54351648f93f7470817a22b6`	pdf-font-stream	PDF embedded font (sfnt) at offset 0xDB30	10120 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.