PDF malware analysis — malicious · 2eb20e7c27b22380

MALICIOUS

PDF

35.3 KB Created: 2020-08-05 20:51:01 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)

MD5: 8f75c9319f23df9286922beed94468ed SHA-1: 428376b925b616f12985d43ac408fc526b7b34b5 SHA-256: 2eb20e7c27b223805b69b79c74e3f47c03f4bcc6c6d9d0fa106e430fb6abd0da

120 Risk Score

Malware Insights

MITRE ATT&CK

T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF contains a mass external link farm, with a primary malicious redirector URL embedded in the document body. This suggests the document is designed to lure users to malicious infrastructure under the guise of providing a downloadable PDF. The heuristic firings confirm the presence of a malicious redirector and a link farm, indicating a phishing or social engineering attack. No scripts were extracted from this sample.

Heuristics 3

PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK

PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM

Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://ttraff.cc/wb?keyword=babypips%20school%20of%20pipsology%20pdf%20download
- http://xefam.uhstravelclub.com/uploads/1/3/1/4/131406403/povexosawuziso_masegitumata_gekiga_ropakovudor.pdf
- http://files.rarebirdediting.com/uploads/1/3/0/9/130969148/lasojojuma-tevuxivuworefo-vumami-wabojofowigoju.pdf
- http://files.frontrunnerbooks.com/uploads/1/3/1/4/131437503/jawudute_dosejuxogumanu_nadezuro.pdf
- http://files.luvmymasseuse.com/uploads/1/3/2/6/132681456/mubuwikas-xizufa-supolus.pdf
- http://files.oneilllab.com/uploads/1/3/0/7/130775506/6096350.pdf
- https://cdn.shopify.com/s/files/1/0430/4617/4877/files/63555383614.pdf
- https://cdn.shopify.com/s/files/1/0428/0755/8310/files/40990845774.pdf
- https://cdn.shopify.com/s/files/1/0431/1882/1530/files/apresentao_empresa_em.pdf
- https://cdn.shopify.com/s/files/1/0431/6656/4520/files/ziwimudomosofin.pdf
- https://cdn.shopify.com/s/files/1/0435/5863/3631/files/working_of_electronic_ignition_system.pdf
- https://cdn.shopify.com/s/files/1/0432/0965/4436/files/46176360298.pdf
- https://cdn.shopify.com/s/files/1/0437/0163/3177/files/rutivuga.pdf
- https://cdn.shopify.com/s/files/1/0432/1725/6603/files/bapeba.pdf
- https://cdn.shopify.com/s/files/1/0432/3858/8584/files/66992613136.pdf
- https://cdn.shopify.com/s/files/1/0428/5385/9494/files/krause_becker_airless_paint_sprayer.pdf
- https://cdn.shopify.com/s/files/1/0430/3549/2503/files/vawovuvanoxiwajan.pdf
- https://cdn.shopify.com/s/files/1/0438/3870/1728/files/public_time_server.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off00004b9f.bin` `e615c5463866da149182e0a373261051b9c1af12e6bf813a91f161c4b7336e1c`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x4B9F	5704 bytes
`font_01_sfnt_off00005f1b.bin` `1c990e0ec38bcf1a854f28cc7f7c8309149309bd2fc1c0e873daffdd3166799f`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x5F1B	9708 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.