PDF malware analysis — malicious · 593814d21edea5a5

MALICIOUS

PDF

46.3 KB Created: 2020-09-02 04:18:46 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)

MD5: 4ef76a3c21f1416f245b3a231b82de56 SHA-1: fee4f86600aec6aadc65e93474edb1c60d5a7112 SHA-256: 593814d21edea5a53cda4250f26b654e3f1200db638d2edeca9c005de82a27db

120 Risk Score

Malware Insights

MITRE ATT&CK

T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF file contains a heuristic firing indicating it's a malicious redirector, linking to a URL that is part of a link farm. The document body, though heavily obfuscated, contains the same suspicious URL and text related to a 'foliage report', suggesting a lure. The primary malicious IOC is the redirector URL, which likely leads to further malicious content.

Heuristics 3

PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK

PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM

Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://ttraff.ru/wix?keyword=north+conway+nh+foliage+report
- https://static.usrfiles.com/ugd/b6bf5b_d0445438195345ee9836ff57efcd67f3.pdf
- https://static.usrfiles.com/ugd/11f207_72c4509257d542d99bf2584c10f1d19c.pdf
- https://static.usrfiles.com/ugd/f2ef67_6ed4eda0b4be4abcb7ced50e3f9dd1d5.pdf
- https://static.usrfiles.com/ugd/b4609a_3979f24abbcc472ba682126c518c2676.pdf
- https://static.usrfiles.com/ugd/47b1e8_4917276b83774aa4949b9e8776ba97be.pdf
- https://static.usrfiles.com/ugd/66f7a0_4d4ed927d5a040d2b844341d7fa8ae5e.pdf
- https://static.usrfiles.com/ugd/808d8c_a722a1330f724f0289d3dfc3893993ed.pdf
- https://cdn.shopify.com/s/files/1/0436/2534/9273/files/bambara_groundnut_journal.pdf
- https://cdn.shopify.com/s/files/1/0438/7376/3496/files/16279469207.pdf
- https://cdn.shopify.com/s/files/1/0431/0722/1658/files/cardiopulmonary_physical_therapy_management_and_case_studies.pdf
- https://cdn.shopify.com/s/files/1/0438/8428/2008/files/bigowemifo.pdf
- https://cdn.shopify.com/s/files/1/0430/8336/6551/files/classroom_assessment_and_evaluation.pdf
- https://cdn.shopify.com/s/files/1/0431/7888/5280/files/29843440160.pdf
- https://cdn.shopify.com/s/files/1/0431/1583/9645/files/counterparty_credit_risk_brigo.pdf
- https://cdn.shopify.com/s/files/1/0433/6667/8686/files/silkworm_bombyx_mori.pdf
- https://cdn.shopify.com/s/files/1/0428/5736/5670/files/latest_iphone_ios.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 3

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off00006ae8.bin` `ea81958513e2de1abb9a09396e96671a8f11bc4b8bafb9c66753e2924fc7a17e`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x6AE8	5052 bytes
`font_01_sfnt_off00007c2a.bin` `bd0c99dbbcf3dce87bc285fe9d17a02e7a330981ce8d799933aa9326fc389c0a`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x7C2A	9956 bytes
`font_02_sfnt_off00009e46.bin` `1062cd8ddf90f4344fa193b395386d5669df1a952e5759311ca261a71931f361`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x9E46	4324 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.