PDF malware analysis — malicious · 3ded164371890a9f

MALICIOUS

PDF

115.3 KB Created: 2020-08-25 18:44:37 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)

MD5: b61c44551e86c05eb3ae78266a8e97d2 SHA-1: fac09cd5cc993d33fe4f7194e6008d1543c033a6 SHA-256: 3ded164371890a9fbef7523ef1a011d86ba6dba2abe870b6633e51863834711e

128 Risk Score

Malware Insights

MITRE ATT&CK

T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF contains a prominent link that redirects to a malicious URL, disguised as a free service manual download. The PDF_MALICIOUS_REDIRECTOR_LINK heuristic confirms this redirection to known malicious infrastructure. The PDF_SEO_LINK_FARM heuristic indicates the PDF is part of a larger scheme to generate traffic through link farms. The SE_DOWNLOAD_BUTTON heuristic further supports the lure-based nature of the attack.

Heuristics 4

PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK

PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM

Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTON

Document contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://ttraff.com/pify?keyword=2008+ski+doo+service+manual+free+download
- http://files.msgeekyteach.com/uploads/1/3/0/9/130969754/8039491.pdf
- http://files.jdunbarportfolio.com/uploads/1/3/2/6/132681464/8376252.pdf
- http://xopulub.leedsmayi.com/uploads/1/3/2/6/132681464/3d9a33bf5973b7.pdf
- http://files.rewalsarsponsorship.org/uploads/1/3/0/9/130969498/bipigi.pdf
- http://files.lowereastsideheroines.com/uploads/1/3/0/7/130776208/gavovow.pdf
- https://cdn.shopify.com/s/files/1/0428/1945/3095/files/ruzumagir.pdf
- https://cdn.shopify.com/s/files/1/0446/9764/9306/files/guardian_ape_second_fight_guide.pdf
- https://cdn.shopify.com/s/files/1/0430/1750/2869/files/72620686488.pdf
- https://cdn.shopify.com/s/files/1/0435/7944/1307/files/46161287510.pdf
- https://cdn.shopify.com/s/files/1/0428/8030/3270/files/45462115902.pdf
- https://cdn.shopify.com/s/files/1/0430/2585/8723/files/58095508448.pdf
- https://cdn.shopify.com/s/files/1/0431/8121/1802/files/81818520089.pdf
- https://cdn.shopify.com/s/files/1/0434/9689/8724/files/wafejugapisenufet.pdf
- https://cdn.shopify.com/s/files/1/0430/5063/1319/files/dilikisetis.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 3

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off00016c18.bin` `3ef13d1fa009d8da33c7e1c9e7eba01953e0f71b0f14297f9c7a58f6fd827d6c`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x16C18	5556 bytes
`font_01_sfnt_off00017ee1.bin` `4190e920a9554f0ac468588360a756ae0e3027e7eec6381136cfacfaf734c7dd`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x17EE1	16480 bytes
`font_02_sfnt_off0001b1bb.bin` `d1f4a20f0e35a0564be54678b929bb8c711862c507f070c2b9a6abea8daf4378`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x1B1BB	4324 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.