PDF malware analysis — malicious · 2f740ec6e8985cb6

MALICIOUS

PDF

45.8 KB Created: 2020-07-30 05:45:47 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)

MD5: 7e1741c64535a7ca60bc049ff40cf1e2 SHA-1: 4c92bf1dd43a8b33a19391d1604689e81838f4d0 SHA-256: 2f740ec6e8985cb632a8a01657a4438cf809de366747740c2c1508c4044f19c3

160 Risk Score

Malware Insights

MITRE ATT&CK

T1566.002 Spearphishing Attachment T1204.002 Malicious Link T1059.001 PowerShell

The PDF contains a link farm and a redirector to a malicious URL, indicating a scam or phishing attempt. The heuristic 'PDF_MALICIOUS_REDIRECTOR_LINK' confirms the redirection to known malicious infrastructure. The 'SE_LOLBIN_RUN_COMMAND' heuristic suggests that the document may contain instructions or embedded commands that leverage Windows execution tools, potentially to further the malicious activity.

Heuristics 4

PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK

PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM

Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
Visible LOLBin command execution instruction high SE_LOLBIN_RUN_COMMAND

Document contains instructions or visible command text involving Windows script/execution tools such as PowerShell, mshta, cmd, rundll32, or regsvr32
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://ttraff.ru/pify?keyword=types+of+bipolar+disorder+pdf
- http://files.torontoislandlakeswim.com/uploads/1/3/0/7/130739007/wesekan_sadepefit_wigufanize_kefajawirepib.pdf
- http://files.dvorajewelrystore.com/uploads/1/3/1/0/131070374/2096935.pdf
- http://files.tephracurlycoatedretrievers.com/uploads/1/3/1/3/131384301/dikopufebiwagow-supuj-ratak.pdf
- https://cdn.shopify
- https://cdn.shopify.com/s/files/1/0430/1130/9719/files/xetipoli.pdf
- https://cdn.shopify.com/s/files/1/0440/6896/2469/files/vururelavi.pdf
- https://cdn.shopify.com/s/files/1/0432/7096/3350/files/18600386159.pdf
- https://cdn.shopify.com/s/files/1/0431/0643/5232/files/fumuvumisiganuzozofew.pdf
- https://cdn.shopify.com/s/files/1/0433/2614/4670/files/62311460276.pdf
- https://cdn.shopify.com/s/files/1/0428/9835/8432/files/6219719719.pdf
- https://cdn.shopify.com/s/files/1/0435/2750/4024/files/xabufixi.pdf
- https://cdn.shopify.com/s/files/1/0436/0660/5987/files/13790271422.pdf
- https://cdn.shopify.com/s/files/1/0434/9358/9142/files/46495081901.pdf
- https://cdn.shopify.com/s/files/1/0434/0639/3496/files/32736166917.pdf
- https://cdn.shopify.com/s/files/1/0440/6840/5413/files/86324486898.pdf
- https://cdn.shopify.com/s/files/1/0432/8180/9558/files/xekupofitabidaso.pdf
- https://cdn.shopify.com/s/files/1/0430/1930/5113/files/guwojobizusudu.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off00007845.bin` `ef7f18a0c49b5dc05aea915d90db035b8ac11559d09992bb93c271464d9c6083`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x7845	4828 bytes
`font_01_sfnt_off000088bb.bin` `8ac3e5ae415e684525a2c7d60a1c4e4142e23d6d46e35e1e2b80a20a79d031fa`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x88BB	9812 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.