PDF malware analysis — malicious · 4067455adab242bc

MALICIOUS

PDF

46.0 KB Created: 2020-08-30 15:43:44 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)

MD5: 48c159901e6f7ec889adc146ac0a8758 SHA-1: 3d4a5b873d6b36e23c0624e08fe82d5a95c153a1 SHA-256: 4067455adab242bcd0ffa76981f6280dbe3ed5cf5ff4cea812e118403dc72bab

120 Risk Score

Malware Insights

MITRE ATT&CK

T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF file contains a link that redirects to known malicious infrastructure, as indicated by the PDF_MALICIOUS_REDIRECTOR_LINK heuristic. The document body, though heavily obfuscated, contains text related to 'Intel Hades Canyon BIOS' and the wkhtmltopdf application, suggesting a lure to entice clicks. The PDF also contains a large number of external links, many of which point to static.usrfiles.com, indicating a link farm strategy.

Heuristics 3

PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK

PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM

Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://ttraff.ru/wix?keyword=intel+hades+canyon+bios
- https://static.usrfiles.com/ugd/e73fea_43a2379746eb439b8857dbc7cc019141.pdf
- https://static.usrfiles.com/ugd/b8c837_38f2777cd0044c74995ed39533c8f54b.pdf
- https://static.usrfiles.com/ugd/576447_c2d56ac7e7474366ac8d953ae68f2df8.pdf
- https://static.usrfiles.com/ugd/cf79db_753fbcc6de144b3d9655916e97f097c5.pdf
- https://static.usrfiles.com/ugd/7e0eb0_1b21e8f3a2d64fe7ba695ab097ceaff0.pdf
- https://static.usrfiles.com/ugd/ad2ade_e3b9f939fea94e6b9a8484443e410c8d.pdf
- https://static.usrfiles.com/ugd/c5d40f_406eb813281744bb8a7b2cbe54861f40.pdf
- https://static.usrfiles.com/ugd/e4a001_1f22849402a948d287bf02319da5be11.pdf
- https://static.usrfiles.com/ugd/b8c837_2d9675f563224ab69ed4d3e2331969bb.pdf
- https://static.usrfiles.com/ugd/8127dd_3ab4351db99d4e3e81daf67b0d42ac77.pdf
- https://cdn.shopify.com/s/files/1/0431/8072/0294/files/4002770634.pdf
- https://cdn.shopify.com/s/files/1/0429/2067/3433/files/manual_prctico_del_operador_de_calderas_industriales_gratis.pdf
- https://cdn.shopify.com/s/files/1/0428/3462/4679/files/68650726275.pdf
- https://cdn.shopify.com/s/files/1/0432/0028/2783/files/46100307319.pdf
- https://cdn.shopify.com/s/files/1/0437/0530/3205/files/71296131096.pdf
- https://cdn.shopify.com/s/files/1/0431/4392/1820/files/java_iterate_over_hashmap.pdf
- https://cdn.shopify.com/s/files/1/0433/6009/2309/files/56669800736.pdf
- https://cdn.shopify.com/s/files/1/0434/5407/0951/files/lukorowonoxesevalobas.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off00006e31.bin` `2f1a06d1679a8a29a102285ed4fa9004dffa5d26b71fe11b84b991d10044fcab`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x6E31	5112 bytes
`font_01_sfnt_off00007f84.bin` `e1f1e6438ce85ec1f15b548e7f5c2e2c7e48feda59bb5bc27091c7a9f6ccb334`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x7F84	14048 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.