PDF malware analysis — malicious · 4d92bc57bf51a871

MALICIOUS

PDF

89.8 KB Created: 2020-08-31 01:07:51 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)

MD5: 3e0be569c6ee787637502607675a5d6a SHA-1: 7365f3692982a6b124af88db96d2ba1f37f91bca SHA-256: 4d92bc57bf51a8714178b7431d1659b2bab11fb1394907a126bac789f8f70046

168 Risk Score

Malware Insights

MITRE ATT&CK

T1566.002 Spearphishing Attachment T1059.001 PowerShell T1204.002 Malicious Link

The PDF contains a link farm and a critical heuristic firing for a malicious redirector. The document body, though heavily obfuscated, contains text that appears to be a lure for a comic or story, combined with urgency language. The presence of a malicious redirector URL suggests the intent is to lead the user to a malicious site, likely for phishing or to initiate a scam.

Heuristics 5

PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK

PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM

Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
Advance-fee lottery/parcel scam lure high SE_ADVANCE_FEE_SCAM_LURE

Document contains lottery/beneficiary or prize language together with large-value draft/funds wording and parcel/courier delivery requirements. This is a classic advance-fee fraud document shape.
Urgency / deadline lure low SE_URGENCY_LURE

Document contains urgency or deadline language ('account will be terminated', 'action required within 24 hours', etc.) — useful context, but low-signal without other findings
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://ttraff.cc/wix?keyword=tf2+comic+6
- https://cdn.shopify.com/s/files/1/0433/0687/7080/files/83971047952.pdf
- https://cdn.shopify.com/s/files/1/0428/2171/4076/files/85337648815.pdf
- https://cdn.shopify.com/s/files/1/0435/4444/5092/files/xobugisaxewenogadoloroxib.pdf
- https://cdn.shopify.com/s/files/1/0432/1991/0820/files/85661731902.pdf
- https://cdn.shopify.com/s/files/1/0431/3088/0162/files/bazemokukaforofuzujotedel.pdf
- https://cdn.shopify.com/s/files/1/0462/5550/5557/files/the_humanure_handbook.pdf
- https://cdn.shopify.com/s/files/1/0469/4376/4641/files/rirubejuxilegado.pdf
- https://cdn.shopify.com/s/files/1/0430/7720/6178/files/company_brochure_format.pdf
- https://cdn.shopify.com/s/files/1/0447/9824/7078/files/mariano_azuela_biografia.pdf
- https://cdn.shopify.com/s/files/1/0428/9835/8432/files/rinubigelezegir.pdf
- https://cdn.shopify.com/s/files/1/0469/2597/1611/files/vinulalokexorurim.pdf
- https://cdn.shopify.com/s/files/1/0438/2051/5488/files/imberhorne_school_east_grinstead_ofsted_report.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off000123fa.bin` `499aa6241b8600e7d7330ca2ac85e8cc3c8be14d6242d13d3c5585355c9352f2`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x123FA	4744 bytes
`font_01_sfnt_off00013414.bin` `5a8e0857c0af6da8040a993574335f04e1e079a2913b8caefb7314d9a477dd2c`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x13414	11452 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.