PDF malware analysis — malicious · 4c9a61db1363ac13

MALICIOUS

PDF

46.0 KB Created: 2020-08-22 06:56:05 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)

MD5: 7adf2d2e8956f97ff2c0341eb54996fc SHA-1: 15d727dcf76c08cf7e99846f333a8bccf5e100a2 SHA-256: 4c9a61db1363ac136390f268cb886acb44da22299dc4b02f9a578961a5445678

120 Risk Score

Malware Insights

MITRE ATT&CK

T1566.002 Spearphishing Attachment T1204.001 Malicious Link T1059.001 PowerShell

The PDF contains a malicious redirector link disguised as exam questions, which is a common social engineering tactic to trick users into visiting malicious sites. The PDF also contains a large number of links to other PDFs hosted on Shopify, likely for SEO manipulation to improve the ranking of the malicious link. The document body contains obfuscated text and a URL that is a clear indicator of malicious intent.

Heuristics 3

PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK

PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM

Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://ttraff.com/pify?keyword=bls+exam+questions+and+answers+2019+pdf
- http://dabas.westendarts.org/uploads/1/3/2/3/132302984/415a9fc4ef0.pdf
- http://files.ajeplanners.com/uploads/1/3/1/4/131406816/sifojopese_nidukuzinagimo_xutokajofuzi_roxurugar.pdf
- http://xalix.zepoloptimized.com/uploads/1/3/0/9/130969204/03f96.pdf
- https://cdn.shopify.com/s/files/1/0430/0508/3811/files/32878253794.pdf
- https://cdn.shopify.com/s/files/1/0431/3153/5524/files/pdf_bhagavad_gita_in_kannada.pdf
- https://cdn.shopify.com/s/files/1/0433/0687/7080/files/27055139941.pdf
- https://cdn.shopify.com/s/files/1/0427/6623/7852/files/the_assassination_of_jesse_james_screenplay.pdf
- https://cdn.shopify.com/s/files/1/0438/7025/7320/files/xowapukitaxi.pdf
- https://cdn.shopify.com/s/files/1/0435/1547/8176/files/80572493644.pdf
- https://cdn.shopify.com/s/files/1/0432/7515/7670/files/biological_molecules_questions_and_answers.pdf
- https://cdn.shopify.com/s/files/1/0437/1929/5130/files/63239702489.pdf
- https://cdn.shopify.com/s/files/1/0430/9411/4465/files/74852602034.pdf
- https://cdn.shopify.com/s/files/1/0434/8752/7078/files/revojexaler.pdf
- https://cdn.shopify.com/s/files/1/0433/9204/1118/files/visexuxituvugujiri.pdf
- https://cdn.shopify.com/s/files/1/0436/2915/0368/files/17204492511.pdf
- https://cdn.shopify.com/s/files/1/0428/9835/8432/files/zurutadodusabexefiba.pdf
- https://cdn.shopify.com/s/files/1/0431/5817/5906/files/information_about_ancient_civilization_of_egypt.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off000072d6.bin` `736365de4a0dfccb794fbc7c5c1dce48deef098831ad6099e0cf468b42bf8609`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x72D6	6004 bytes
`font_01_sfnt_off00008749.bin` `e60f08fcc0632a63deafcd62853304e8e49ed6ea24d2a67a77f884c399cdfa08`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x8749	10272 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.