PDF malware analysis — malicious · 597bade65e233111

MALICIOUS

PDF

53.7 KB Created: 2020-08-30 21:50:25 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)

MD5: 563aa9231094e2865e740d5bcaf8fe00 SHA-1: 81c23c29676a4d367f617291b192d1d2124df4ac SHA-256: 597bade65e233111d01a017fe262c443bc2fb375854fef49b100f02d81a070da

140 Risk Score

Malware Insights

MITRE ATT&CK

T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF contains multiple embedded links, with one identified as a malicious redirector. The document body, though heavily obfuscated, contains text that appears to be a lure, referencing a website and a report. The presence of a link farm and a callback lure heuristic further supports a phishing or scam attempt. No scripts were extracted from this sample.

Heuristics 4

PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK

PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM

Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
Callback phishing phone lure medium SE_CALLBACK_LURE

Document asks the user to call a phone number in billing, refund, subscription, fraud, or security context — consistent with callback phishing or tech-support scam patterns
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://ttraff.com/wix?keyword=nikhil+samarpan+website
- https://cdn.shopify.com/s/files/1/0430/9693/2505/files/opal_tower_report.pdf
- https://cdn.shopify.com/s/files/1/0437/2430/8630/files/26202256674.pdf
- https://cdn.shopify.com/s/files/1/0432/8279/2606/files/76003950043.pdf
- https://cdn.shopify.com/s/files/1/0437/3702/2615/files/ditimemifuxa.pdf
- https://static.usrfiles.com/ugd/837d34_5d022d0bf6204f0e8e563bd84fb8a99a.pdf
- https://static.usrfiles.com/ugd/12daa7_f79d087c111f4b20aa9756190dc7222b.pdf
- https://static.usrfiles.com/ugd/b8c837_35365b011cf343b1aaa7679df2683cec.pdf
- https://static.usrfiles.com/ugd/d43733_af736c3ee4cc457195042870dfa7f30b.pdf
- https://static.usrfiles.com/ugd/b8c837_b3118e2f9e9b4b358d7ff7f947133adf.pdf
- https://static.usrfiles.com/ugd/b8c837_7965b7021d734b74bcf01906dc02aa5d.pdf
- https://static.usrfiles.com/ugd/162fe6_25dbfbde1a214f89a91b431763f801df.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 5

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off0000595a.bin` `5cb5016c5e314cadc8a6021d7a204450d9a325887af18116add81389542cc8c0`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x595A	5324 bytes
`font_01_sfnt_off00006b4e.bin` `d5ecec3e822993868ba70e247019bcdb656a9fee58d620eb93bc70658e929280`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x6B4E	3720 bytes
`font_02_sfnt_off000076b1.bin` `b39f75eadfc932792b161da24fea445392a100f8a4855082297b7d9d594c2700`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x76B1	10512 bytes
`font_03_sfnt_off00009ad7.bin` `ead7fd593d7f5feef6f283420e9b55f8fa4552f107c64b0063d474dd3355abd8`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x9AD7	16164 bytes
`font_04_sfnt_off0000b02c.bin` `57d67129c44b72998dbbbe0f807060bf59079aab6992d80c057eca9afd26115f`	pdf-font-stream	PDF embedded font (sfnt) at offset 0xB02C	7312 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.