PDF malware analysis — malicious · 561716e632dd4302

MALICIOUS

PDF

44.1 KB Created: 2020-08-31 11:02:25 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)

MD5: e1071b3ddbe90aeab38e588e0ffc6bdc SHA-1: ed4b7b9061ab3e6c33bdd3a55a646ebf15bbab45 SHA-256: 561716e632dd43025a4008d4aa7ba45d75fec0fb4598c3276534ca6aa114c6f2

130 Risk Score

Malware Insights

MITRE ATT&CK

T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF file contains a critical heuristic firing for a malicious redirector link, which is also present in the document body. The file also exhibits characteristics of a link farm, with numerous embedded URLs. The presence of a 'download button' heuristic further supports the lure mechanism. The primary malicious IOC is the redirector URL, which likely leads to the delivery of a second-stage payload.

Heuristics 4

PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK

PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM

Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTON

Document contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://ttraff.cc/wix?keyword=bhagwat+gita+book+in+hindi+pdf+downl
- https://static.usrfiles.com/ugd/6f53d7_65a3176723b249bda4a7378c001a6548.pdf
- https://static.usrfiles.com/ugd/9d66c7_44fe42320654429c8ef05348f0923df8.pdf
- https://static.usrfiles.com/ugd/b8c837_8133846a74a347bb80fdd642ef36c006.pdf
- https://cdn.shopify.com/s/files/1/0429/8535/7463/files/92050868225.pdf
- https://cdn.shopify.com/s/files/1/0428/9835/8432/files/vuvitew.pdf
- https://cdn.shopify.com/s/files/1/0431/0633/6930/files/kanopegobu.pdf
- https://cdn.shopify.com/s/files/1/0433/9141/8526/files/vozesozabafuju.pdf
- https://cdn.shopify.com/s/files/1/0431/0158/5562/files/fokazub.pdf
- https://cdn.shopify.com/s/files/1/0434/6265/6152/files/kavam.pdf
- https://cdn.shopify.com/s/files/1/0440/1538/6789/files/royal_500dx_cash_register_manual.pdf
- https://cdn.shopify.com/s/files/1/0431/8704/4515/files/50572806252.pdf
- https://cdn.shopify.com/s/files/1/0427/7128/4135/files/zidofakavilezikikopebazid.pdf
- https://cdn.shopify.com/s/files/1/0434/3237/8517/files/69990245598.pdf
- https://cdn.shopify.com/s/files/1/0431/6993/9612/files/damutefejazi.pdf
- https://cdn.shopify.com/s/files/1/0431/7957/3414/files/52103752678.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 3

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off000057b5.bin` `5b6076c20cc167052b6db2112b9290b383042cf051a662f7db158a9a0593f2fc`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x57B5	5376 bytes
`font_01_sfnt_off00006a07.bin` `88c1141edb6001349774b756b3ea9863364aa8e6945c41475e4355d2cd73cc80`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x6A07	14160 bytes
`font_02_sfnt_off00009636.bin` `165a53be2de0cdd3902f034b964a967d0caeb97bf8d1d6e3c59ff1b269be8a8b`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x9636	3340 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.