PDF malware analysis — malicious · 3e075f1306795196

MALICIOUS

PDF

40.3 KB Created: 2020-09-21 05:47:42 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)

MD5: 6fbb59ffee04ab193ef9cf7aa0e4259b SHA-1: 2fc9ea4dc5d0537369acfbcca94ed6870d858408 SHA-256: 3e075f1306795196cba45508bde915b66f2335d815e3388abebafb6742f12c69

120 Risk Score

Malware Insights

MITRE ATT&CK

T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF contains a link farm, with one primary link identified as a malicious redirector. The document body, though partially corrupted, contains text suggesting a lure for a product manual, which aligns with the malicious redirector's keyword. The presence of numerous external PDF links indicates a SEO-based distribution tactic.

Heuristics 3

PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK

PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM

Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://ttraff.me/wix?keyword=presto+pizzazz+plus+rotating+pizza+oven+manual
- http://rojoge.karencharlton.com/uploads/1/3/0/7/130775219/389c7dd87cac27.pdf
- http://files.penandnapkin.org/uploads/1/3/1/8/131857305/futabufizinivobame.pdf
- https://ec1898b9-8b5e-4a7f-b0c2-290331272491.filesusr.com/ugd/3fb742_94aa513195694e55ba147b3e82475792.pdf?index=true
- https://61e199a2-512c-4bfa-8856-8f2b6f891036.filesusr.com/ugd/3b5dd9_33e047fbd7354f088df68170315c45e5.pdf?index=true
- https://6470de30-fd15-4d82-be0e-0d0cc4924c73.filesusr.com/ugd/f515ca_a512eac564ab4c4e8ca2a0af6f183d09.pdf?index=true
- https://955021ef-af36-4d8d-805b-993a29db9ac1.filesusr.com/ugd/f65518_709f0b30745a42b28fff55d8aba863af.pdf?index=true
- https://6a8c7a1c-7c2b-4e1f-8e72-bf7bd2fd727b.filesusr.com/ugd/2ca22b_f68ea15a689e41e0b078800a14264fb9.pdf?index=true
- https://3b3594f7-ead0-4a5e-a5b9-4dbef6aeb51a.filesusr.com/ugd/cec570_7048b2d297814eefa664169e5f4e385b.pdf?index=true
- https://ac6fada3-8c1b-437c-b6fa-3e13287401e3.filesusr.com/ugd/5360f8_41a562aeb4c3410f847a838abc780fab.pdf?index=true
- https://b5b14a9f-9021-4526-98a2-614d3492eb4e.filesusr.com/ugd/d4c4cf_acb02dc71edb48c0b8759d498cb8aa8a.pdf?index=true
- https://09311cd8-e01e-441f-a380-38baf7b73a18.filesusr.com/ugd/197ed4_99f110a7d8eb4f9b9efade6b96952540.pdf?index=true
- https://16224593-b303-4477-8014-b1550886dbe8.filesusr.com/ugd/90423f_181191c0dfa74f97881563cf83e689a8.pdf?index=true
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 3

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off000053e4.bin` `fb1eff03f25457877995d7af5b7f6f4d75efb868cbc0700fc24c7589d99df303`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x53E4	5248 bytes
`font_01_sfnt_off00006587.bin` `532fa4325539f5918f945090a170848ad7b32f9360fca3291c890759c647728e`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x6587	1660 bytes
`font_02_sfnt_off00006de7.bin` `d4fb7109a91bcb5191ca9b60f5f624269cc634f561de84078cb8086024800268`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x6DE7	10728 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.