PDF malware analysis — malicious · 284baf7214489006

MALICIOUS

PDF

43.7 KB Created: 2020-08-06 22:10:35 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)

MD5: 3c9e19bdfd0579fa57168e73526ca557 SHA-1: d80a7c8957eb2e4962d9208d9ca01bcb28fae6d9 SHA-256: 284baf721448900659f193cdd2a1e8667b7f6be398358be8c0ae56ce7bda3724

120 Risk Score

Malware Insights

MITRE ATT&CK

T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF file contains a mass of external links, with one specifically pointing to a known malicious redirector. The document body, though heavily obfuscated, contains text related to 'school holiday calendar 2020 nsw pdf' and the malicious URL. This suggests a phishing or social engineering attempt to redirect users to malicious content.

Heuristics 3

PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK

PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM

Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://ttraff.cc/pify?keyword=school+holiday+calendar+2020+nsw+pdf
- http://fekirebi.lindenwoodbeer.com/uploads/1/3/0/8/130814328/4418667.pdf
- http://files.msdlaroche.com/uploads/1/3/2/3/132302749/nalanowobagurujapo.pdf
- http://files.kehillahhouston.org/uploads/1/3/0/7/130775387/dexob_zuxegojav_fadimetavi.pdf
- http://files.juddbristo.com/uploads/1/3/1/3/131380666/1d2d34a97.pdf
- http://files.littlefollowersdaycare.com/uploads/1/3/1/8/131871852/kazewino_povuwolegami_roxosaka.pdf
- https://cdn.shopify.com/s/files/1/0432/5320/3102/files/bifubik.pdf
- https://cdn.shopify.com/s/files/1/0433/9977/4366/files/19168800646.pdf
- https://cdn.shopify.com/s/files/1/0437/4983/4901/files/payroll_accounting_2020.pdf
- https://cdn.shopify.com/s/files/1/0431/6856/3355/files/72629638993.pdf
- https://cdn.shopify.com/s/files/1/0438/6045/9685/files/ayushman_bharat_hospital_list_in_bangalore.pdf
- https://cdn.shopify.com/s/files/1/0434/7245/3797/files/dajilolupatefupovuwabeki.pdf
- https://cdn.shopify.com/s/files/1/0438/3657/1808/files/29325281623.pdf
- https://cdn.shopify.com/s/files/1/0433/0687/7080/files/mozinetesabelenigifil.pdf
- https://cdn.shopify.com/s/files/1/0435/7573/8527/files/kuvulifosusabatoropuka.pdf
- https://cdn.shopify.com/s/files/1/0439/2475/0491/files/foxav.pdf
- https://cdn.shopify.com/s/files/1/0432/9956/9829/files/sopuvuzeroma.pdf
- https://cdn.shopify.com/s/files/1/0428/9835/8432/files/87294954422.pdf
- https://cdn.shopify.com/s/files/1/0431/8806/0321/files/ukulele_tabs_hallelujah.pdf
- https://cdn.shopify.com/s/files/1/0428/3655/7987/files/kozaj.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off000069d3.bin` `9bdc3a0283c431b9e5590e8a37358b0c1304badc817c0ace521af71bb1e79853`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x69D3	5812 bytes
`font_01_sfnt_off00007dae.bin` `08bc356f83523dc32c88093a3e35fe6eb01cc9d2c081588eb6d523643a4a0227`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x7DAE	10548 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.