PDF malware analysis — malicious · 81ffb23bb97da5a3

MALICIOUS

PDF

48.1 KB Created: 2020-08-15 03:03:06 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)

MD5: 554535efd670a7b62d9a11784c6aadfe SHA-1: b770d0a6279547e6ddd126ba5889578433547453 SHA-256: 81ffb23bb97da5a32d9f4b14cd578b302f3a7cbf638da328de7d92141b57b633

128 Risk Score

Malware Insights

MITRE ATT&CK

T1566.002 Spearphishing Attachment T1059.001 PowerShell T1204.002 Malicious Link

The PDF contains a link disguised as a download for 'Autodesk autocad 2008 free', which redirects to a known malicious redirector. The document also contains a mass external PDF link farm, suggesting a SEO poisoning or link farm attack. No scripts were extracted, but the presence of malicious redirector links and the lure indicate a phishing or malware delivery attempt.

Heuristics 4

PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK

PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM

Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTON

Document contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://ttraff.com/pify?keyword=autodesk+autocad+2008+free
- http://kipiv.ascendingscore.com/uploads/1/3/1/3/131384401/a4fd8194c8.pdf
- http://jepixukaj.tyewinkinmink.com/uploads/1/3/2/7/132741099/4928530.pdf
- https://cdn.shopify.com/s/files/1/0429/4089/1292/files/quest_diagnostics_order_form.pdf
- https://cdn.shopify.com/s/files/1/0434/6209/9097/files/sabosadesanudidobon.pdf
- https://cdn.shopify.com/s/files/1/0428/4363/5879/files/21798577856.pdf
- https://cdn.shopify.com/s/files/1/0432/9547/3822/files/hola_vpn_for_mac.pdf
- https://cdn.shopify.com/s/files/1/0440/7951/3752/files/jirujutifebim.pdf
- https://cdn.shopify.com/s/files/1/0431/3609/0267/files/vuxufuposaxuxi.pdf
- https://cdn.shopify.com/s/files/1/0430/3942/4663/files/33609368362.pdf
- https://cdn.shopify.com/s/files/1/0437/5996/0218/files/gekogasitokekax.pdf
- https://cdn.shopify.com/s/files/1/0429/9541/7237/files/10650862706.pdf
- https://cdn.shopify.com/s/files/1/0433/8165/3655/files/dunifuripof.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 4

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off00006036.bin` `d4924a8d788e2192e4577cb9dc6373b302a86eea2c171841f4a92c2b18ab832f`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x6036	3608 bytes
`font_01_sfnt_off00006d02.bin` `058d57669d09845f075d5e58c75c4b410f473a5f0566a440f25fa1d3e18832ee`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x6D02	5504 bytes
`font_02_sfnt_off00007fbc.bin` `e9a5a1f6ed95b1e3669933bb00002ad32a1708c3e0b735191cad5e02368a6c7d`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x7FBC	1800 bytes
`font_03_sfnt_off0000884a.bin` `c61b1430e4d2feb17cc775ab850401412490d0bb2bef3e291c35fe24df9b691c`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x884A	13216 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.