PDF malware analysis — malicious · 27433eff994450b3

MALICIOUS

PDF

44.4 KB Created: 2020-08-16 02:05:13 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)

MD5: 5d0f3a8063ba393accc94cd7a1315fe8 SHA-1: 58f5ddfa58ba54a49033eaebae6428d55621285e SHA-256: 27433eff994450b34c8b288d7034490c9d75f62b5948afedf2b130948e25dac4

120 Risk Score

Malware Insights

MITRE ATT&CK

T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF file contains a heuristic firing for PDF_MALICIOUS_REDIRECTOR_LINK, indicating it directs users to known malicious infrastructure. The document body, though heavily obfuscated, contains a URL that appears to be part of this redirection scheme. The PDF also exhibits characteristics of a link farm, with numerous embedded links, many pointing to Shopify domains, likely for SEO manipulation or to obscure the malicious redirector. The primary malicious IOC is the redirector URL.

Heuristics 3

PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK

PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM

Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://ttraff.cc/wb?keyword=variedades%20de%20papa%20en%20mexico%20pdf
- http://files.nearnorthtr.com/uploads/1/3/1/1/131163533/bawinaguz.pdf
- https://cdn.shopify.com/s/files/1/0434/7097/9237/files/squat_circuit_challenge.pdf
- https://cdn.shopify.com/s/files/1/0433/0687/7080/files/27984898694.pdf
- https://cdn.shopify.com/s/files/1/0437/7139/6257/files/55820755448.pdf
- https://cdn.shopify.com/s/files/1/0431/2688/2471/files/wujirisozogon.pdf
- https://cdn.shopify.com/s/files/1/0433/0687/7080/files/dedepisolutiri.pdf
- https://cdn.shopify.com/s/files/1/0427/5827/5238/files/25541868600.pdf
- https://cdn.shopify.com/s/files/1/0428/8380/9439/files/gajamifufonefoji.pdf
- https://cdn.shopify.com/s/files/1/0431/7619/8305/files/reference_letter_format_for_job.pdf
- https://cdn.shopify.com/s/files/1/0438/9847/0552/files/37935064771.pdf
- https://cdn.shopify.com/s/files/1/0435/6712/0539/files/mercedes_e320_repair_manual.pdf
- https://cdn.shopify.com/s/files/1/0432/6011/7160/files/benanajibiw.pdf
- https://cdn.shopify.com/s/files/1/0429/3738/5123/files/vodarezegekobijoze.pdf
- https://cdn.shopify.com/s/files/1/0434/6799/7344/files/jirorakavekolixeme.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/
- https://cdn.shopify.com/s/files/1/0431/7619/8305/files/reference_letter_format_for_job.pd

Extracted artifacts 3

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off000061c0.bin` `0af6e0f33c96c5f9630de7fa3f9179bb1c67cd60d2df88458361d1c88aa40ad6`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x61C0	5012 bytes
`font_01_sfnt_off000072aa.bin` `f65389b77a9943659e53ace3dc5d8df1137d9d4b75c5e423f958f41598cf5076`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x72AA	10900 bytes
`font_02_sfnt_off00009647.bin` `ce7e2e230a41ba6fc2d7d2240890c8289d67876d84a3d076d67c0b48111c8230`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x9647	4324 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.