PDF malware analysis — malicious · 812ec1017c65753d

MALICIOUS

PDF

45.9 KB Created: 2020-09-05 22:24:31 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)

MD5: 439bb839d545aaadd3b250ab8d3d7d24 SHA-1: 34b61b5597fb61028e7bfd24f3b6c29e22dbf1e2 SHA-256: 812ec1017c65753d68ee165d6f7750e9280dd3c2be97e5d8c5d2ff87c5882767

128 Risk Score

Malware Insights

MITRE ATT&CK

T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF file contains multiple embedded links, with one identified as a malicious redirector. The document's content and structure suggest a lure, likely an invoice or payment request, to entice users to click the malicious link. The presence of a link farm further indicates an attempt to distribute malicious content or traffic.

Heuristics 4

PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK

PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM

Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
Fake invoice / payment lure low SE_INVOICE_LURE

Document contains invoice or payment language paired with an action verb — useful context when combined with link, macro, or attachment indicators
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://ttraff.me/wix?keyword=envelope+address+format+sri+lanka
- https://static.usrfiles.com/ugd/33c377_030bb903a07b46afab31fa7854b3e919.pdf
- https://static.usrfiles.com/ugd/934fc3_4436feeb64fc41558ec0f78dfffb2465.pdf
- https://static.usrfiles.com/ugd/a2de88_db2b654ba4274a94aa2c3a30efbd20e5.pdf
- https://static.usrfiles.com/ugd/d54300_47f7f598fb374dd48c498d8e162f7d8a.pdf
- https://static.usrfiles.com/ugd/ddb60a_7230d022da324cb7a37d6e353ea9a905.pdf
- https://static.usrfiles.com/ugd/5a1791_de46242aad4b4826b2bd8fb12324ba9b.pdf
- https://cdn.shopify.com/s/files/1/0450/2824/5654/files/juronekiweki.pdf
- https://cdn.shopify.com/s/files/1/0438/0708/0610/files/wirutukisi.pdf
- https://static.usrfiles.com/ugd/b4609a_e0ce194a8ce44f2bb7eb4995a12e10f9.pdf
- https://static.usrfiles.com/ugd/ac51ce_27e408b133d94f4db0a21ea0ed497eb0.pdf
- https://static.usrfiles.com/ugd/b97cba_7c281c90183f46b28573627e51b75a31.pdf
- https://static.usrfiles.com/ugd/33c377_eff3ccfbf2f0482aaff780eaab29be57.pdf
- https://static.usrfiles.com/ugd/2d797c_12db663cdfbd44c895293da32e950715.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 3

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off00005dfd.bin` `160efb7057f1d37db9a581bd7979c7e67b29eb44ce59b93600ef6f684daf64cd`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x5DFD	5268 bytes
`font_01_sfnt_off00006fdd.bin` `fbae0964abc800d0db5f5a0b5c9a9cc86b8a00c91c5b69d86918ca8c054d2c52`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x6FDD	11692 bytes
`font_02_sfnt_off00009574.bin` `6820151f9a4816bccc9e85e605aef44ce22c8924dfcccd161584754f275bf028`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x9574	16132 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.