PDF malware analysis — malicious · 5384adfdca3d6402

MALICIOUS

PDF

47.4 KB Created: 2020-08-14 18:39:44 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)

MD5: db49cc19444f61947c030a4faf66a0a7 SHA-1: da369de52b7cd976a54df9c9ec516742ab030ee9 SHA-256: 5384adfdca3d640247c24dd44717c7d8b467af9ea0a8f9f9bf331e93869fd70e

160 Risk Score

Malware Insights

MITRE ATT&CK

T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF file contains multiple embedded links, with one identified as a malicious redirector. The document body, though heavily obfuscated, contains text that, combined with the heuristic firings, strongly suggests an advance-fee scam lure. The presence of numerous external links, many pointing to Shopify domains, indicates an attempt to distribute malicious content or redirect users to phishing sites. The primary malicious URL identified is https://ttraff.cc/wb?keyword=networking%20meaning%20pdf.

Heuristics 4

PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK

PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM

Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
Advance-fee lottery/parcel scam lure high SE_ADVANCE_FEE_SCAM_LURE

Document contains lottery/beneficiary or prize language together with large-value draft/funds wording and parcel/courier delivery requirements. This is a classic advance-fee fraud document shape.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://ttraff.cc/wb?keyword=networking%20meaning%20pdf
- http://walisaf.al-anon-ulster-sullivan-ny.org/uploads/1/3/0/7/130775432/2058836.pdf
- http://rigunago.misternelly.com/uploads/1/3/0/7/130739204/ratiwepot-migapisegapakul-zojajozami-nirirozo.pdf
- https://cdn.shopify.com/s/files/1/0441/2263/6440/files/alkanes_and_cycloalkanes.pdf
- https://cdn.shopify.com/s/files/1/0432/5543/1323/files/guwifemolajuz.pdf
- https://cdn.shopify.com/s/files/1/0433/7631/2471/files/walozo.pdf
- https://cdn.shopify.com/s/files/1/0433/0687/7080/files/66491839223.pdf
- https://cdn.shopify.com/s/files/1/0432/7194/6398/files/64641432293.pdf
- https://cdn.shopify.com/s/files/1/0432/8616/7702/files/gentamicin_mechanism_of_action.pdf
- https://cdn.shopify.com/s/files/1/0433/9374/5046/files/17655307828.pdf
- https://cdn.shopify.com/s/files/1/0437/3279/5541/files/9167308624.pdf
- https://cdn.shopify.com/s/files/1/0437/6517/0334/files/budgetary_control_in_cost_accounting.pdf
- https://cdn.shopify.com/s/files/1/0430/3519/7602/files/shri_durga_saptashati_download.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 3

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off00006da5.bin` `23a6183ad7348332ceed3b6d41a0b19e523c8e3208f4afce665846148c876bd1`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x6DA5	5064 bytes
`font_01_sfnt_off00007edd.bin` `125d3b775d4f54dbeb3906566672ad0631c25d304c073e9b9c58634a9ec13b5d`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x7EDD	10420 bytes
`font_02_sfnt_off0000a294.bin` `cd94ef65598b1866d0653cdd88243d989fd81359c0e770c2d3a4858f1c2f6d34`	pdf-font-stream	PDF embedded font (sfnt) at offset 0xA294	4324 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.