PDF malware analysis — malicious · 35ca9631abc3c653

MALICIOUS

PDF

42.7 KB Created: 2020-08-01 14:11:40 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)

MD5: 0894fd78f031ee4fd932af4a767f175a SHA-1: e1a00d93389cdb0dfca2e2f47910d13c52dccc22 SHA-256: 35ca9631abc3c653e536e9732bec818085cd14d4413197f75982c4a585440bf5

160 Risk Score

Malware Insights

MITRE ATT&CK

T1204.001 Malicious Link T1566.002 Spearphishing Attachment

The PDF contains a social-engineering lure to install a browser extension, directing the user to a malicious redirector URL. The document body, though heavily obfuscated, contains the malicious URL. The presence of a link farm further indicates malicious intent.

Heuristics 4

PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK

PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM

Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
Browser extension / update installation lure high SE_BROWSER_INSTALL_LURE

Document tells the user to install a browser extension, plugin, viewer, or browser update to view content — a common social-engineering path for credential theft and malware installation
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://ttraff.com/pify?keyword=ant+video+downloader+chrome
- http://files.asifthinkingmatters.com/uploads/1/3/0/7/130739232/f6af3cbea988b.pdf
- http://files.colangelowine.com/uploads/1/3/0/9/130969663/ef772e0a.pdf
- http://files.thelittleyellowbuilding.com/uploads/1/3/1/4/131453645/lapigigelujalig.pdf
- http://files.shadygrove71052.org/uploads/1/3/2/7/132740778/deb08708076d3b1.pdf
- http://files.theskinthatburns.com/uploads/1/3/1/1/131164534/f66e7e2f6bf.pdf
- https://cdn.shopify.com/s/files/1/0430/1763/3949/files/94571393504.pdf
- https://cdn.shopify.com/s/files/1/0430/6498/3701/files/92605634716.pdf
- https://cdn.shopify.com/s/files/1/0433/0697/5382/files/70531196627.pdf
- https://cdn.shopify.com/s/files/1/0434/7576/3353/files/bizewavabigisezajijazux.pdf
- https://cdn.shopify.com/s/files/1/0430/8362/8708/files/21667185828.pdf
- https://cdn.shopify.com/s/files/1/0431/9982/4032/files/35567364040.pdf
- https://cdn.shopify.com/s/files/1/0433/3273/1030/files/nawabore.pdf
- https://cdn.shopify.com/s/files/1/0435/0319/0181/files/83479050393.pdf
- https://cdn.shopify.com/s/files/1/0433/0687/7080/files/gifowugebivagobawogun.pdf
- https://cdn.shopify.com/s/files/1/0437/7962/1026/files/21387447003.pdf
- https://cdn.shopify.com/s/files/1/0427/4647/8759/files/yu-_yu_hakusho_episode_guide.pdf
- https://cdn.shopify.com/s/files/1/0433/1310/2998/files/45817642917.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/
- https://cdn.shopify.com/s/files/1/04

Extracted artifacts 2

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off000067fb.bin` `a523ae7b72502f2bb2c69ddb8942d44281a7f00ac88cab37e3ead01b86f445a2`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x67FB	5140 bytes
`font_01_sfnt_off0000795f.bin` `ffa7de93fbba4a858db1255b5ccc045108d2210bbd7d6245769d61b7f2b66844`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x795F	10576 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.