PDF malware analysis — malicious · 5847e8aeb7068aba

MALICIOUS

PDF

48.5 KB Created: 2020-08-19 10:48:10 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)

MD5: 60369774092fd7dde49329ffdfe63169 SHA-1: 523bfaff166f4a3dbb8fb0344449af6baf8a8fa5 SHA-256: 5847e8aeb7068aba7847699d38e739ea8ef99a4b9acc4a643d05464b068646ae

120 Risk Score

Malware Insights

MITRE ATT&CK

T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF file was identified as malicious due to its inclusion of a large number of external links, a technique often used for SEO manipulation or to redirect users to malicious content. One of the primary links points to a known malicious redirector. The document body itself is largely unreadable binary data, but the presence of the malicious redirector URL and the link farm heuristic strongly suggest a malicious intent, likely to lure users to harmful websites.

Heuristics 3

PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK

PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM

Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://ttraff.ru/pify?keyword=platform+business+model+canvas
- http://zigate.stallionscouts.org/uploads/1/3/1/1/131164250/teforo_jovigenufu_witeles_dipogasisavi.pdf
- http://files.beautyartistry.net/uploads/1/3/2/8/132814898/6937fb.pdf
- https://cdn.shopify.com/s/files/1/0430/4178/3959/files/josimafanipinarurekubumad.pdf
- https://cdn.shopify.com/s/files/1/0437/3823/5031/files/41394285532.pdf
- https://cdn.shopify.com/s/files/1/0433/0687/7080/files/doragewotupepefe.pdf
- https://cdn.shopify.com/s/files/1/0430/6976/7842/files/71612019396.pdf
- https://cdn.shopify.com/s/files/1/0431/7901/6360/files/dosafugidena.pdf
- https://cdn.shopify.com/s/files/1/0437/3155/0362/files/soul_surfer_book_download.pdf
- https://cdn.shopify.com/s/files/1/0431/7727/9652/files/40649605330.pdf
- https://cdn.shopify.com/s/files/1/0428/9835/8432/files/7082322425.pdf
- https://cdn.shopify.com/s/files/1/0429/0406/0071/files/bengali_to_english_translation_book.pdf
- https://cdn.shopify.com/s/files/1/0433/2955/2552/files/povepakubegelulu.pdf
- https://cdn.shopify.com/s/files/1/0428/9704/7718/files/61133100189.pdf
- https://cdn.shopify.com/s/files/1/0432/8947/7278/files/tikomekutoladadolevoxajoj.pdf
- https://cdn.shopify.com/s/files/1/0429/9322/1783/files/timevidoku.pdf
- https://cdn.shopify.com/s/files/1/0437/8171/8173/files/71649986114.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 3

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off000071a2.bin` `11e4d53a185578ae22ef82e56708a911852ac8c958ef78a01a095ac0306a16ea`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x71A2	5248 bytes
`font_01_sfnt_off0000835e.bin` `acb2b3d87c7b109481a96842a2e3079f7103ae146d3607c6c42fc090b6f0f18a`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x835E	10488 bytes
`font_02_sfnt_off0000a73c.bin` `d1f4a20f0e35a0564be54678b929bb8c711862c507f070c2b9a6abea8daf4378`	pdf-font-stream	PDF embedded font (sfnt) at offset 0xA73C	4324 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.