PDF malware analysis — malicious · 28c08fa263a45822

MALICIOUS

PDF

57.6 KB Created: 2020-09-02 06:25:44 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)

MD5: b0ae311c86299b59d10d807acae50fea SHA-1: 7397676a138bed5a3951a959faa231209c1f6f18 SHA-256: 28c08fa263a45822dae248bd5d99e45aa1bbd301e9f8954114b49f7b5912e9bb

160 Risk Score

Malware Insights

MITRE ATT&CK

T1566.002 Spearphishing Attachment T1059.001 PowerShell T1204.001 Malicious Link

The PDF contains a critical heuristic firing for a malicious redirector link, pointing to 'https://ttraff.cc/wix?keyword=current+affairs+august+2019+pdf+free'. Additionally, a high heuristic indicates a payment redirection lure, suggesting a business-email-compromise pattern. The document body, though heavily obfuscated, contains the same redirector URL. The presence of a link farm further supports the malicious intent.

Heuristics 4

PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK

PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM

Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
Payment redirection / bank-detail change lure high SE_PAYMENT_REDIRECT_LURE

Document describes new or changed bank, wire, ACH, IBAN, SWIFT, or routing instructions — a high-value business-email-compromise pattern
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://ttraff.cc/wix?keyword=current+affairs+august+2019+pdf+free
- https://cdn.shopify.com/s/files/1/0429/2280/3366/files/72926913178.pdf
- https://cdn.shopify.com/s/files/1/0437/6900/4190/files/libizuz.pdf
- https://cdn.shopify.com/s/files/1/0438/6032/8608/files/cummins_m11_service_manual_free_down.pdf
- https://cdn.shopify.com/s/files/1/0450/2568/9758/files/xupezefizekosefuwojexadif.pdf
- https://static.usrfiles.com/ugd/1a89c8_39c81a03863f4884acc4f90463cd2efd.pdf
- https://static.usrfiles.com/ugd/97634b_a5591e31d3bc4e5ba1743c0c5facfc46.pdf
- https://static.usrfiles.com/ugd/b8c837_12b032929c1c4d90a34db89513d70f04.pdf
- https://static.usrfiles.com/ugd/91e123_3dc7efa3adb14c75b666d12fdb6b8ee0.pdf
- https://static.usrfiles.com/ugd/b8c837_9c9e756a72e4480692bad3d296c7bd31.pdf
- https://static.usrfiles.com/ugd/a1fb72_e828f1f27ca24afaabc37331bdd9de6f.pdf
- https://static.usrfiles.com/ugd/8127dd_03ff8a8a606544fa8960597308de1fe5.pdf
- https://static.usrfiles.com/ugd/6f58fb_7436d15a3c124ef086f80ac014f56cfa.pdf
- https://static.usrfiles.com/ugd/1f2646_c227bf8024e4431dbad7cd2e1fd83371.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 3

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off00007e98.bin` `478a0971e7d310ba60c8a7f2faab4f338a5b8d6283e1ef3aafe2670207790073`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x7E98	5564 bytes
`font_01_sfnt_off00009191.bin` `f623a36c721f262600b484aa5beb8a0a089d82f54fa229798128b1a467ec8fc4`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x9191	16364 bytes
`font_02_sfnt_off0000c3f0.bin` `541fa2b6826b0add99b7d5a173ef1e6a5567607b5192f75b810eb17d6a563501`	pdf-font-stream	PDF embedded font (sfnt) at offset 0xC3F0	16204 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.