PDF malware analysis — malicious · 3a52a0232d7e8138

MALICIOUS

PDF

53.6 KB Created: 2020-08-22 21:24:23 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)

MD5: c7821594a0940ebd904a980fefbd50ae SHA-1: 66a775ddd3d547354b72867129d3cfe6728a4a4b SHA-256: 3a52a0232d7e81388336b322bb6e08954c6905c384d77931d283e5d2e990a218

128 Risk Score

Malware Insights

MITRE ATT&CK

T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF contains a link farm and a direct link to a known malicious redirector, indicating a phishing or scam attempt. The document body, though heavily obfuscated, contains the same URL found in the redirector heuristic. The presence of a visual download button further supports the lure-based attack pattern. No scripts were extracted, limiting the analysis of further stages.

Heuristics 4

PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK

PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM

Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTON

Document contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://ttraff.com/pify?keyword=best+bollywood+music++app+for+android
- http://files.veljre.com/uploads/1/3/2/7/132712139/af67bf31cb9b0d4.pdf
- http://levixete.montenegroadventures.me/uploads/1/3/0/7/130740257/xevutopuxafaxasaw.pdf
- https://cdn.shopify.com/s/files/1/0431/1754/3588/files/fevarubokineboro.pdf
- https://cdn.shopify.com/s/files/1/0431/4261/1095/files/nutoguxos.pdf
- https://cdn.shopify.com/s/files/1/0434/4204/5090/files/reported_speech_examples_for_class_9.pdf
- https://cdn.shopify.com/s/files/1/0432/3826/0903/files/37302452416.pdf
- https://cdn.shopify.com/s/files/1/0438/0635/9714/files/95672188214.pdf
- https://cdn.shopify.com/s/files/1/0462/4059/6119/files/76696797589.pdf
- https://cdn.shopify.com/s/files/1/0434/3028/1381/files/bsc_zoology_download.pdf
- https://cdn.shopify.com/s/files/1/0435/0833/4744/files/27649417006.pdf
- https://cdn.shopify.com/s/files/1/0434/8788/7526/files/35024477822.pdf
- https://cdn.shopify.com/s/files/1/0430/9306/5881/files/it_inventory_template_xls.pdf
- https://cdn.shopify.com/s/files/1/0433/1329/9620/files/lopatabomabiditexalakadul.pdf
- https://cdn.shopify.com/s/files/1/0434/0196/9820/files/vetuwirixarevizet.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 3

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off0000855b.bin` `c34e9acc814579efeebaab9a36f505e25283f014723b2593b041e5da85ccd235`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x855B	5564 bytes
`font_01_sfnt_off0000983d.bin` `269ec74b3cd0c2266127414dfe78be18a4144c773caaa2fe68a8870364a6dba1`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x983D	10164 bytes
`font_02_sfnt_off0000bb10.bin` `05d2457133b820fa77aa358e30e9acfbad3f04c46ced9a37296d9311117db176`	pdf-font-stream	PDF embedded font (sfnt) at offset 0xBB10	4324 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.