PDF malware analysis — malicious · 429a1fba24118cb4

MALICIOUS

PDF

44.2 KB Created: 2020-07-30 08:06:30 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)

MD5: d63f00d3a857061999bcd2664facb118 SHA-1: 55d467f4575094a0fb92c9b5f8fbbf21ea1e8b03 SHA-256: 429a1fba24118cb4f436958e0dc2f351ec30d5cbf6dd66bbc1c8588c3dd377f2

128 Risk Score

Malware Insights

MITRE ATT&CK

T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF file contains numerous embedded links, with a critical heuristic firing for a malicious redirector. The document body, though heavily obfuscated, suggests a 'download link' lure, further supported by a heuristic for a visual download button. The primary malicious IOC is the redirector URL, which likely leads to further malicious content.

Heuristics 4

PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK

PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM

Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTON

Document contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://ttraff.ru/pify?keyword=pdf+books+download+link
- http://files.lifestarbrokerage.com/uploads/1/3/1/3/131383998/solefexoke.pdf
- http://files.phoneduke.com/uploads/1/3/2/6/132681464/5519942.pdf
- http://files.rollingsoundsdj.com/uploads/1/3/1/3/131379409/wapar-tofoguvuseme.pdf
- http://files.belongingonearth.com/uploads/1/3/1/3/131379732/7091145.pdf
- http://files.belong
- https://cdn.shopify.com/s/files/1/0430/3860/5461/files/fosefagarejum.pdf
- https://cdn.shopify.com/s/files/1/0432/8341/5204/files/7939775856.pdf
- https://cdn.shopify.com/s/files/1/0431/1393/9101/files/xuxemerapigunolo.pdf
- https://cdn.shopify.com/s/files/1/0432/5461/2123/files/zapusekidije.pdf
- https://cdn.shopify.com/s/files/1/0432/5045/0600/files/susagadiresegive.pdf
- https://cdn.shopify.com/s/files/1/0434/0632/7959/files/23364470425.pdf
- https://cdn.shopify.com/s/files/1/0437/2578/3190/files/77747800438.pdf
- https://cdn.shopify.com/s/files/1/0428/5572/7260/files/79897383545.pdf
- https://cdn.shopify.com/s/files/1/0431/1249/7312/files/42070317808.pdf
- https://cdn.shopify.com/s/files/1/0432/6712/9504/files/zugugusakakolo.pdf
- https://cdn.shopify.com/s/files/1/0432/0837/6482/files/walesejonalotadozeza.pdf
- https://cdn.shopify.com/s/files/1/0427/6604/1244/files/11791271137.pdf
- https://cdn.shopify.com/s/files/1/0437/8856/6677/files/6627019694.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off000071cb.bin` `4c47520c68445469d5ddc2466e91bdb484f22642e212487dfb6bdef2a5e5ce59`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x71CB	4692 bytes
`font_01_sfnt_off000081cd.bin` `8d3663425b772d99ea01246e16a4c777f271f48b17b90e15c63991de34a18516`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x81CD	9968 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.