PDF malware analysis — malicious · 4406831934d32b48

MALICIOUS

PDF

110.7 KB Created: 2020-08-22 00:24:37 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)

MD5: feeb74e7285223e3b4a9b8e8fa83cc90 SHA-1: 978dd3e331b09199be4695f827f9edb13bc586d2 SHA-256: 4406831934d32b48b7acf405d8c695485edb403198d07595f653570445db794a

120 Risk Score

Malware Insights

MITRE ATT&CK

T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF file contains a heuristic firing for PDF_MALICIOUS_REDIRECTOR_LINK, indicating it directs users to a known malicious URL. The document body, though heavily obfuscated, contains text referencing 'Attack on titan reiner and bertholdt transformation' and the malicious URL itself, suggesting a social engineering lure. The file also exhibits characteristics of a link farm, with numerous external PDF links, some of which point to benign content while others are unknown.

Heuristics 3

PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK

PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM

Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://ttraff.ru/pify?keyword=attack+on+titan+reiner+and+bertholdt+transformation
- http://files.msdgrabs.com/uploads/1/3/2/6/132682076/nalaxujuf.pdf
- http://files.digitalindy.biz/uploads/1/3/0/8/130814226/sejovuwewemolune.pdf
- http://tegeg.rosevillacookieco.com/uploads/1/3/2/6/132695569/jelavukuzago.pdf
- http://dapefa.utahstudentnurse.org/uploads/1/3/1/4/131438304/vezoziwofu-nobizobenofusu.pdf
- https://cdn.shopify.com/s/files/1/0446/9247/1962/files/apostila_de_adestramento_de_ces_gratis.pdf
- https://cdn.shopify.com/s/files/1/0464/4824/6952/files/49940086909.pdf
- https://cdn.shopify.com/s/files/1/0434/2412/0988/files/divisible_by_javascript.pdf
- https://cdn.shopify.com/s/files/1/0427/7259/4844/files/60998914983.pdf
- https://cdn.shopify.com/s/files/1/0438/3752/2080/files/arthashastra_malayalam.pdf
- https://cdn.shopify.com/s/files/1/0439/4595/1400/files/48747166116.pdf
- https://cdn.shopify.com/s/files/1/0431/8851/9074/files/refer_annexure_e1.pdf
- https://cdn.shopify.com/s/files/1/0430/9480/2581/files/56716670922.pdf
- https://cdn.shopify.com/s/files/1/0428/3452/6375/files/sejadejoderib.pdf
- https://cdn.shopify.com/s/files/1/0431/1701/9292/files/79245974051.pdf
- https://cdn.shopify.com/s/files/1/0430/5233/5255/files/jelifoxopedafakewuvutix.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 3

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off000161eb.bin` `4678e9157dc68f51815442569a09385845576511fdbb10572915fcf1d1fb95aa`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x161EB	6164 bytes
`font_01_sfnt_off000176f8.bin` `a7078e27d2389fc3ecdf7e763111110fa1f19b4dece5d8bd49f9e37f4a70fb80`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x176F8	5452 bytes
`font_02_sfnt_off0001894e.bin` `e2ff74363a6f572af40427f3cb2dcc63a41ddadd97dca6bef7f11987a12c2a48`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x1894E	10288 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.