PDF malware analysis — malicious · 31d4e47529f66059

MALICIOUS

PDF

49.0 KB Created: 2020-08-28 09:44:36 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)

MD5: b968f67dc12bc720f05ea4e4d1638b1d SHA-1: 135c7264418a3aeb3afcab9513db75f6718acf1b SHA-256: 31d4e47529f660596c708ea20bda36fa06174977f74794437f7a726811f9780b

128 Risk Score

Malware Insights

MITRE ATT&CK

T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF contains a malicious redirector link disguised as a download button, aiming to lure users to a malicious site. The document body contains obfuscated text and a URL that points to a redirector service. This suggests a phishing or social engineering attack to deliver a payload.

Heuristics 4

PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK

PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM

Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTON

Document contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://ttraff.cc/pify?keyword=adobe+reader+offline+installer+xp
- http://files.conniehardyreflexology.com/uploads/1/3/1/4/131453944/bokokolubeme_zidigeloja_xagozen.pdf
- http://files.caringheartsunited.com/uploads/1/3/1/6/131637024/jazisotu_dobulu.pdf
- http://files.knittygrittysyr.com/uploads/1/3/0/7/130776295/berajobowapato.pdf
- http://fiwuli.advancedmodularmanikin.com/uploads/1/3/1/0/131071252/a8aea93f.pdf
- http://files.connieha
- https://cdn.shopify.com/s/files/1/0431/4457/7185/files/personal_finance_jeff_madura_5th_edition.pdf
- https://cdn.shopify.com/s/files/1/0432/6224/7067/files/nifulo.pdf
- https://cdn.shopify.com/s/files/1/0437/1103/7589/files/zofituz.pdf
- https://cdn.shopify.com/s/files/1/0431/7547/7416/files/35519671289.pdf
- https://cdn.shopify.com/s/files/1/0432/8423/4396/files/rifoxuruwuvugog.pdf
- https://cdn.shopify.com/s/files/1/0428/8466/1407/files/sisuwa.pdf
- https://cdn.shopify.com/s/files/1/0437/6756/2391/files/wurewasi.pdf
- https://cdn.shopify.com/s/files/1/0430/8012/2532/files/3312834803.pdf
- https://cdn.shopify.com/s/files/1/0433/4397/0463/files/tulazakuzitiv.pdf
- https://cdn.shopify.com/s/files/1/0435/6138/6147/files/53744334217.pdf
- https://cdn.shopify.com/s/files/1/0432/9380/2646/files/68496689625.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 3

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off000074a8.bin` `8024a9ab02cb95e258631f9fcaa7d2ab8452453c882eb364f4458c68eda5a803`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x74A8	5020 bytes
`font_01_sfnt_off000085bb.bin` `40772d6c4b3d1b46e8dadaca1cc1d7ab856ed4b6449fa055b851f71e9ded86ae`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x85BB	10180 bytes
`font_02_sfnt_off0000a895.bin` `b50a2106bf82917db0cd3cf88f63c5e8cc3298b343ace5cffc591b35df33d24c`	pdf-font-stream	PDF embedded font (sfnt) at offset 0xA895	4324 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.