PDF malware analysis — malicious · 34b1c9ce2184e4a8

MALICIOUS

PDF

48.0 KB Created: 2020-08-22 03:38:26 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)

MD5: 41719c82ef6b08eb1c5c6031241b9001 SHA-1: 747ca3aa19e0ff733b8f3ed2b00f393155166953 SHA-256: 34b1c9ce2184e4a84f0e0be7a1d29700a96db71c067d11ba6319afe0f6b9591a

120 Risk Score

Malware Insights

MITRE ATT&CK

T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF file contains numerous embedded links, with a critical heuristic firing indicating a malicious redirector. The document body, though heavily obfuscated, contains text related to 'free css templates' and the malicious URL. The primary attack pattern involves luring users to a malicious site via a link farm disguised as a resource page. No scripts were extracted, limiting the analysis of further stages.

Heuristics 3

PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK

PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM

Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://ttraff.cc/pify?keyword=free+css+templates+for+photography+websites
- http://xuzaf.wewillcureals.com/uploads/1/3/1/3/131383483/711c76f.pdf
- http://files.salemlakemills.com/uploads/1/3/0/8/130813357/7531947.pdf
- http://bafaburon.atozsmallbusinesservices.com/uploads/1/3/1/6/131636612/5201586.pdf
- http://files.auslanstorybooks.com/uploads/1/3/0/9/130969322/xuvafa.pdf
- https://cdn.shopify.com/s/files/1/0428/4170/2567/files/70388634816.pdf
- https://cdn.shopify.com/s/files/1/0431/7098/8188/files/zumojenexisirukofu.pdf
- https://cdn.shopify.com/s/files/1/0436/2859/3315/files/sasowozobof.pdf
- https://cdn.shopify.com/s/files/1/0433/6176/3480/files/32959290186.pdf
- https://cdn.shopify.com/s/files/1/0433/7968/7587/files/95592217601.pdf
- https://cdn.shopify.com/s/files/1/0434/1006/3527/files/soxupazovus.pdf
- https://cdn.shopify.com/s/files/1/0433/2997/8526/files/62017819436.pdf
- https://cdn.shopify.com/s/files/1/0440/4540/2277/files/oneplus_5t_root.pdf
- https://cdn.shopify.com/s/files/1/0459/3365/8279/files/archicad_19_english.pdf
- https://cdn.shopify.com/s/files/1/0427/7954/1671/files/97221050886.pdf
- https://cdn.shopify.com/s/files/1/0432/1142/3902/files/journal_patent_ductus_arteriosus.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 4

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off00006571.bin` `64d79ef4a71e6d1a329c598c463560c13db69bc9f0791527f7527ede63278856`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x6571	5400 bytes
`font_01_sfnt_off000077df.bin` `8770a9d16f6ec8ed1e04f7f31595c1fd3834ff76ff6f55291086ab87d6d749e8`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x77DF	2268 bytes
`font_02_sfnt_off000081f1.bin` `9cc7e20aa8043f8bfb5ea82b68a44d7dd36d8f393c712eb838d79c1183e52628`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x81F1	10132 bytes
`font_03_sfnt_off0000a49c.bin` `b50a2106bf82917db0cd3cf88f63c5e8cc3298b343ace5cffc591b35df33d24c`	pdf-font-stream	PDF embedded font (sfnt) at offset 0xA49C	4324 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.