PDF malware analysis — malicious · 448a2ae25fcacf8d

MALICIOUS

PDF

49.9 KB Created: 2020-08-12 16:27:52 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)

MD5: 731966da13108b95730d2ca378f6e97c SHA-1: 96134a1d70f81ac3f707511fc9adcb6563ed14b9 SHA-256: 448a2ae25fcacf8d8fcece28c635727d70cb76198466c211cd4534d493bb47ac

120 Risk Score

Malware Insights

MITRE ATT&CK

T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF file contains numerous embedded links, with a critical heuristic identifying a link to a known malicious redirector. The document body, though heavily obfuscated, contains text related to 'annotate pdf ubuntu' and includes the malicious URL. This suggests a social engineering attempt to trick users into clicking the link, likely leading to a malicious download or exploit.

Heuristics 3

PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK

PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM

Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://ttraff.com/pify?keyword=annotate+pdf+ubuntu
- http://files.katiebraden.com/uploads/1/3/1/3/131398066/vamasoro.pdf
- http://files.darklaketarot.com/uploads/1/3/1/3/131380723/158719.pdf
- http://nodujuse.toledohvacpros.net/uploads/1/3/1/3/131383949/zepede.pdf
- http://files.jennysdelights.com/uploads/1/3/1/4/131438437/topitiwanonede_vezerajuwabu.pdf
- http://tomejow.magicmomentstutoring.com/uploads/1/3/1/4/131453133/vomufijirorare_pulukatu_raloja_totajorake.pdf
- https://cdn.shopify.com/s/files/1/0436/5575/7977/files/62644522914.pdf
- https://cdn.shopify.com/s/files/1/0428/9134/6079/files/zoreresezodanitov.pdf
- https://cdn.shopify.com/s/files/1/0433/2670/1726/files/25564877572.pdf
- https://cdn.shopify.com/s/files/1/0441/0589/1992/files/golden_cydia_minecraft_pocket_edition.pdf
- https://cdn.shopify.com/s/files/1/0430/7543/6698/files/43569901525.pdf
- https://cdn.shopify.com/s/files/1/0428/2161/5775/files/79804491075.pdf
- https://cdn.shopify.com/s/files/1/0433/8312/8214/files/69028922325.pdf
- https://cdn.shopify.com/s/files/1/0432/8249/7696/files/48782683577.pdf
- https://cdn.shopify.com/s/files/1/0431/6564/7002/files/jakurizeja.pdf
- https://cdn.shopify.com/s/files/1/0437/8768/1943/files/advanced_bodybuilding_program.pdf
- https://cdn.shopify.com/s/files/1/0433/8266/9464/files/duxofawepoj.pdf
- https://cdn.shopify.com/s/files/1/0428/4959/9644/files/75000783921.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 3

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off000076e5.bin` `a6d388171b6702cda0e7104440ec56b9eeb6b184ce38a42ef245d7353bb07717`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x76E5	4692 bytes
`font_01_sfnt_off000086db.bin` `dd4a41b9ccf7bdecffceb39561011c1c4d006e00c2eaa104e7869bbae1649ffd`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x86DB	10976 bytes
`font_02_sfnt_off0000ac5a.bin` `05d2457133b820fa77aa358e30e9acfbad3f04c46ced9a37296d9311117db176`	pdf-font-stream	PDF embedded font (sfnt) at offset 0xAC5A	4324 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.