PDF malware analysis — malicious · 3e531a1a5dbb2816

MALICIOUS

PDF

46.8 KB Created: 2020-08-24 18:19:36 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)

MD5: a4f9de83b9b0ebcf6a0fd308b3dfc9e3 SHA-1: 0065514f8a06ad09d288ed88d3d2ea7586bed798 SHA-256: 3e531a1a5dbb28161f647da88ad1ad45d2c93079776981de584caf5acf55074c

128 Risk Score

Malware Insights

MITRE ATT&CK

T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF contains a malicious redirector link that leads to a URL containing 'attack on titan psp game for android', likely a lure to entice users to click. The PDF also hosts a large number of links to other PDFs, suggesting a link farm for SEO poisoning or traffic redirection. The presence of a download button heuristic further supports the lure-based attack pattern.

Heuristics 4

PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK

PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM

Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTON

Document contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://ttraff.cc/pify?keyword=attack+on+titan+psp+game+for+android
- http://files.capitolcom.com/uploads/1/3/0/7/130775156/8211440.pdf
- http://gubepuxeg.alexandriatalley.com/uploads/1/3/0/7/130739289/weturowunez.pdf
- http://femul.suitedreams.com/uploads/1/3/0/7/130740112/a29790ee646.pdf
- http://ronoz.foxfirerevivalfarm.com/uploads/1/3/1/3/131380999/sudutikimelilipi.pdf
- https://cdn.shopify.com/s/files/1/0432/4923/8178/files/venizolebaveni.pdf
- https://cdn.shopify.com/s/files/1/0436/2538/2051/files/savipitosekivanarowi.pdf
- https://cdn.shopify.com/s/files/1/0431/6872/7194/files/aeolian_harp_chopin.pdf
- https://cdn.shopify.com/s/files/1/0430/7235/6514/files/wunajagupa.pdf
- https://cdn.shopify.com/s/files/1/0431/3173/2119/files/algebraic_manipulation_worksheet.pdf
- https://cdn.shopify.com/s/files/1/0433/0687/7080/files/77330784460.pdf
- https://cdn.shopify.com/s/files/1/0430/3152/7577/files/26834824118.pdf
- https://cdn.shopify.com/s/files/1/0431/4162/8072/files/koditupetipimu.pdf
- https://cdn.shopify.com/s/files/1/0463/4499/4973/files/xakekobekigutozelagupo.pdf
- https://cdn.shopify.com/s/files/1/0434/5928/1048/files/pubadawiduvud.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 3

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off00006b19.bin` `8f63d5a47c8cf8a18171c835b903abc66bf5b1ced1f5cf0f05651119b62fce19`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x6B19	5284 bytes
`font_01_sfnt_off00007cf1.bin` `76979b0c651bdfe8df4a83779fcb954ffdeedfdb70319dad55bd55c5f4191b77`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x7CF1	10296 bytes
`font_02_sfnt_off00009fff.bin` `ff5f0ef16caf3e97cd1984b3a03ea88e11eab8cf63d2ee006085a4b9995833f3`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x9FFF	4324 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.