PDF malware analysis — malicious · 29ddfeae6e2e3950

MALICIOUS

PDF

42.0 KB Created: 2020-08-23 00:11:17 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)

MD5: 7bc525a4d1742f957ae9fc46d9e0e1a8 SHA-1: 8937022871d35edbf3da11ae7e9564784c0455ad SHA-256: 29ddfeae6e2e395011dc1bbf7b363736e281c8d8dd02e479693cb6cd38ea36f7

128 Risk Score

Malware Insights

MITRE ATT&CK

T1566.002 Spearphishing Attachment T1200 Hardware Add-in T1059.001 PowerShell

The PDF file contains a link farm and a malicious redirector. The document body, though heavily obfuscated, contains a URL that points to a malicious redirector, likely intended to lure the user into clicking it. This redirector then leads to a page that appears to be a guide but is actually a malicious link farm. The presence of multiple Shopify links suggests an attempt to blend in with legitimate content while hosting malicious payloads.

Heuristics 4

PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK

PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM

Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
Urgency / deadline lure low SE_URGENCY_LURE

Document contains urgency or deadline language ('account will be terminated', 'action required within 24 hours', etc.) — useful context, but low-signal without other findings
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://ttraff.com/pify?keyword=divinity+2+original+sin+romance+guide
- http://files.colaizzifitness.com/uploads/1/3/1/3/131384679/pitezadikak.pdf
- http://mosofi.lovingbackyardsquirrels.com/uploads/1/3/0/9/130969489/a68163.pdf
- http://lupime.sadieparrotta.com/uploads/1/3/1/4/131438142/f57712e3066.pdf
- https://cdn.shopify.com/s/files/1/0430/6649/1042/files/76006847765.pdf
- https://cdn.shopify.com/s/files/1/0439/9982/1982/files/valvulas_ksb.pdf
- https://cdn.shopify.com/s/files/1/0428/3459/1907/files/53309151382.pdf
- https://cdn.shopify.com/s/files/1/0437/1172/5723/files/37656665420.pdf
- https://cdn.shopify.com/s/files/1/0433/0687/7080/files/23651487672.pdf
- https://cdn.shopify.com/s/files/1/0448/1895/6448/files/lowes_brevard_nc.pdf
- https://cdn.shopify.com/s/files/1/0428/2161/5775/files/86943653168.pdf
- https://cdn.shopify.com/s/files/1/0463/2136/9250/files/disenitabo.pdf
- https://cdn.shopify.com/s/files/1/0431/1914/9216/files/burgess_shale_guided_hike.pdf
- https://cdn.shopify.com/s/files/1/0431/7754/1787/files/futowezatutaket.pdf
- https://cdn.shopify.com/s/files/1/0434/5744/6038/files/anti_intellectualism_in_the_philippines.pdf
- https://cdn.shopify.com/s/files/1/0435/9480/9507/files/bhoot_bhangra_video_song_karamjit_anmol.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off000064e4.bin` `338cc71e383d779db1a2bb2777d0c3e3e9ccbe7f3f5c9e2df8a0a3267df8221c`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x64E4	5552 bytes
`font_01_sfnt_off000077b4.bin` `8adf0cf1b7af4f9563c47b4631e1a9bb4c87949970ee5aab165e833fd8b70e94`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x77B4	10256 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.