PDF malware analysis — malicious · 475334e1924af77a

MALICIOUS

PDF

42.0 KB Created: 2020-09-01 02:43:58 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)

MD5: 8b1a8c148c3a7e9fb7d3b663044bac5e SHA-1: 11e28ea69a5cfb25c2facde2fb5013ac030acfd5 SHA-256: 475334e1924af77a9cbfaad3c1d1d0ebacf22257a36a2a3ed3c890fdad94a5d2

120 Risk Score

Malware Insights

MITRE ATT&CK

T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF file contains a heuristic firing for PDF_MALICIOUS_REDIRECTOR_LINK, indicating it directs users to malicious infrastructure. The document body, though heavily obfuscated, contains a URL that appears to be the target of this redirection. This suggests the document is designed to trick users into visiting a malicious site, likely for phishing or malware distribution.

Heuristics 3

PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK

PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM

Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://ttraff.me/pify?keyword=journal+citation+reports+thomson+reuters
- https://static.usrfiles.com/ugd/99a8f2_0405e974f5a1414eb53da99b83fc826d.pdf
- https://static.usrfiles.com/ugd/b8c837_449b2338c7df4bd79634cab84a69969d.pdf
- https://static.usrfiles.com/ugd/b8c837_cf05ce16c7674097a1f1da5467c5178b.pdf
- https://static.usrfiles.com/ugd/77941b_738a6028500641d8ae851fa13f0cd4c5.pdf
- https://static.usrfiles.com/ugd/95089d_cd550e81f7e34054b81286510db23f72.pdf
- https://cdn.shopify.com/s/files/1/0432/1725/6605/files/negenafisedutupun.pdf
- https://cdn.shopify.com/s/files/1/0449/7843/8302/files/vrealize_automation_7_installation_guide.pdf
- https://cdn.shopify.com/s/files/1/0438/2490/6400/files/home_inspection_checklist_template.pdf
- https://cdn.shopify.com/s/files/1/0430/5331/8306/files/balopewunapi.pdf
- https://cdn.shopify.com/s/files/1/0429/4790/3654/files/46911348954.pdf
- https://static.usrfiles.com/ugd/8b2c09_8ebe946ac69047faae29037017ed5bcd.pdf
- https://static.usrfiles.com/ugd/67f5f7_a6ee062c6f7847c19f2d91924e6a5e1b.pdf
- https://static.usrfiles.com/ugd/353d00_f77d0771a7df4e56a01428a1fd8e6982.pdf
- https://static.usrfiles.com/ugd/89064d_99b5510bc362467f966dc6acda038855.pdf
- https://static.usrfiles.com/ugd/7f46b5_e62d2357fe9943b287d23fb11ca0ce4d.pdf
- https://static.usrfiles.com/ugd/b8c837_4c6d84cce8e64804aeda1f6a4b653eaa.pdf
- https://static.usrfiles.com/ugd/2486b5_1f6f185e77764849936801a17c10dcd3.pdf
- https://static.usrfiles.com/ugd/e5a943_a4256ad4427d45febce18e7e55bd4553.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off000065d0.bin` `5e42f233fd6ba0af21ed553acb9f3a8a3abf383e00f837b17b591630cd1ebf56`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x65D0	5164 bytes
`font_01_sfnt_off00007731.bin` `29b877e85c35e451309d57f710ad8e8d27e3e35ca8b1dba012b2bb3dbc61f61c`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x7731	10432 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.