PDF malware analysis — malicious · 4966418c38939ecc

MALICIOUS

PDF

45.7 KB Created: 2020-08-27 14:29:45 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)

MD5: 6ef0b40bfd84688608fcf4defc72b761 SHA-1: f106833ca3d01b2e278ad7cf8b710f740829881a SHA-256: 4966418c38939ecc9e741c420819dd5f8fa3a6bbc4f9fad1b5d0898197772a66

120 Risk Score

Malware Insights

MITRE ATT&CK

T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF contains a significant number of embedded links, with one heuristic identifying it as a PDF link farm. The primary malicious link points to a redirector, suggesting an attempt to obscure the final destination. The document body contains garbled text and a URL that appears to be part of the link farm. The presence of numerous links, including one to a redirector, indicates a likely attempt to distribute malicious content or manipulate search engine results.

Heuristics 3

PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK

PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM

Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://ttraff.cc/pify?keyword=ugly+robert+hoge+summary
- http://files.ninelivestwine.com/uploads/1/3/0/8/130874629/vezik_gunefitotokek.pdf
- http://rifabekis.geoffx.com/uploads/1/3/2/8/132814038/tafamofulobetus.pdf
- http://files.leeluummakeupartistry.com/uploads/1/3/1/3/131381204/6495412.pdf
- https://cdn.shopify.com/s/files/1/0456/4369/4247/files/animoto_free_crack.pdf
- https://cdn.shopify.com/s/files/1/0428/9835/8432/files/88075317933.pdf
- https://cdn.shopify.com/s/files/1/0451/9664/0407/files/el_procedimiento_monitorio_piero_calamandrei.pdf
- https://cdn.shopify.com/s/files/1/0432/2027/1264/files/34241344377.pdf
- https://cdn.shopify.com/s/files/1/0428/4389/8019/files/31082445995.pdf
- https://cdn.shopify.com/s/files/1/0434/5335/0040/files/vivid_verbs_worksheet.pdf
- https://cdn.shopify.com/s/files/1/0437/1356/0731/files/brinkmann_select_grill_manual.pdf
- https://cdn.shopify.com/s/files/1/0437/8768/1954/files/inland_aquaculture_engineering_fao.pdf
- https://cdn.shopify.com/s/files/1/0438/0459/0242/files/blank_calendar_september_2020.pdf
- https://cdn.shopify.com/s/files/1/0439/1079/1323/files/gmail_bypass_apk_file.pdf
- https://cdn.shopify.com/s/files/1/0430/0718/0954/files/43392024076.pdf
- https://cdn.shopify.com/s/files/1/0431/2068/9306/files/12906431616.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 3

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off000065ac.bin` `96a825a25455a8d0acea25648fd6c277e47dc3305c2db35f85a65244a3e92ee3`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x65AC	5060 bytes
`font_01_sfnt_off000076ea.bin` `505889a526525a696aa16844cfeba1fbd3d3cf93993f0e15c8114730a4c88f6f`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x76EA	10924 bytes
`font_02_sfnt_off00009c34.bin` `9f355172d696dda274cac500966718f112ce76951f19577ac4888987ea6471b2`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x9C34	4324 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.