PDF malware analysis — malicious · 4262179e872f97fe

MALICIOUS

PDF

41.6 KB Created: 2020-08-15 07:45:07 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)

MD5: 85833bb6925e409318fa87ac24c8633c SHA-1: bb64e5ea4b9f3fb12a925923c8f35e520b88f243 SHA-256: 4262179e872f97fe9298afc8697790950b93cf75e6932469662543bc6edb58b5

120 Risk Score

Malware Insights

MITRE ATT&CK

T1566.002 Spearphishing Attachment T1059.001 PowerShell T1204.002 Malicious Link

The PDF file contains a lure disguised as a 'Job handover report format' and embeds numerous links. One of these links, 'https://ttraff.cc/pify?keyword=job+handover+report+format', is identified as a malicious redirector. The document also features a large number of external PDF links, many hosted on cdn.shopify.com, suggesting a link farm or SEO poisoning tactic. The primary malicious intent appears to be redirecting users to malicious infrastructure via the embedded links.

Heuristics 3

PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK

PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM

Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://ttraff.cc/pify?keyword=job+handover+report+format
- http://files.siltsockinstall.net/uploads/1/3/2/6/132695525/xeratikigaxetem.pdf
- http://nokuw.imasters-international.com/uploads/1/3/0/7/130776699/fijonuvun_gogiwuku_padekiton.pdf
- http://walevud.etagfab24.org/uploads/1/3/1/6/131606066/xobilazukogugo.pdf
- http://files.markpenzak.com/uploads/1/3/0/7/130739684/rimumomifeti.pdf
- https://cdn.shopify.com/s/files/1/0434/7602/5497/files/bunting_pattern.pdf
- https://cdn.shopify.com/s/files/1/0434/0154/3831/files/78585669682.pdf
- https://cdn.shopify.com/s/files/1/0438/2166/2365/files/minority_report_2002_free.pdf
- https://cdn.shopify.com/s/files/1/0431/7950/7870/files/49920469970.pdf
- https://cdn.shopify.com/s/files/1/0435/1908/2651/files/lariparurowexukal.pdf
- https://cdn.shopify.com/s/files/1/0430/0813/1233/files/47907205058.pdf
- https://cdn.shopify.com/s/files/1/0432/9455/6320/files/50737463631.pdf
- https://cdn.shopify.com/s/files/1/0428/9835/8432/files/37394074323.pdf
- https://cdn.shopify.com/s/files/1/0428/4507/7671/files/fipomubape.pdf
- https://cdn.shopify.com/s/files/1/0430/0649/2831/files/79244572156.pdf
- https://cdn.shopify.com/s/files/1/0433/7149/5574/files/angularjs_c_mvc_tutorial.pdf
- https://cdn.shopify.com/s/files/1/0428/1863/3894/files/fozudenupu.pdf
- https://cdn.shopify.com/s/files/1/0430/2408/9242/files/96623288624.pdf
- https://cdn.shopify.com/s/files/1/0431/0663/1833/files/titabefeguvokajigazepigu.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off000065cf.bin` `4a3fa1d49e73030dce6dd61631bb1281b239e9427428ed7b845c358b3efedf77`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x65CF	5260 bytes
`font_01_sfnt_off00007787.bin` `6ce0fbaeccbab10896035322bf03a275366ef452aab13caf64e3677c89c0625e`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x7787	10000 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.