PDF malware analysis — malicious · 84f3282b82c18d0c

MALICIOUS

PDF

40.1 KB Created: 2020-08-17 16:07:54 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)

MD5: 7f898d958feba2aa010c393c32151cc5 SHA-1: bf3606bf426adb1068d72f0ab96ed34b64bdd346 SHA-256: 84f3282b82c18d0ce6aeb7778292d51eb6e7cbb85d37d8b26a1a6f71f505b96c

128 Risk Score

Malware Insights

MITRE ATT&CK

T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF contains multiple embedded links, with one heuristic firing indicating a link to known malicious redirector infrastructure. Another heuristic identifies a large number of external PDF links, suggesting a link farm. The document body, though heavily obfuscated, contains a URL that appears to be part of the lure. The presence of a 'download button' heuristic further supports the lure-based attack pattern.

Heuristics 4

PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK

PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM

Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTON

Document contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://ttraff.ru/pify?keyword=vector+infographics+templates
- http://files.jenniferowendavies.com/uploads/1/3/1/1/131163736/5981978.pdf
- http://wumusugel.spotlightseniorservicestucson.com/uploads/1/3/0/7/130740019/741584.pdf
- http://files.sgcommercialmall.com/uploads/1/3/0/7/130738779/fuxabolusamukob-nelebaporevak-sogofivexosavam-wasalurow.pdf
- http://files.msharrisfirstgrade.com/uploads/1/3/1/4/131453284/2700394.pdf
- http://femojed.ashleynicoleaffair.com/uploads/1/3/1/3/131383664/5898088.pdf
- https://cdn.shopify.com/s/files/1/0434/3260/7894/files/rimatavu.pdf
- https://cdn.shopify.com/s/files/1/0434/6960/2978/files/nivogubunefakivulu.pdf
- https://cdn.shopify.com/s/files/1/0437/1991/7720/files/mugenuzikipu.pdf
- https://cdn.shopify.com/s/files/1/0434/3706/4344/files/97775520975.pdf
- https://cdn.shopify.com/s/files/1/0433/0012/6880/files/18414936352.pdf
- https://cdn.shopify.com/s/files/1/0431/1403/7397/files/49910335266.pdf
- https://cdn.shopify.com/s/files/1/0431/8068/7524/files/nafisifik.pdf
- https://cdn.shopify.com/s/files/1/0430/1553/6793/files/46036262381.pdf
- https://cdn.shopify.com/s/files/1/0428/2282/8198/files/child_immunization_chart.pdf
- https://cdn.shopify.com/s/files/1/0429/7113/6154/files/52618195584.pdf
- https://cdn.shopify.com/s/files/1/0431/6535/2093/files/gexomenipi.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off00005f24.bin` `815fca27c6cc9b64ec58e6efb7da89a5a9477034bf9975051e8c6ed7a8926229`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x5F24	5396 bytes
`font_01_sfnt_off00007155.bin` `78e8ac73012423ae3b0926164d4a3274b84f727043a072ec400589c45097199f`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x7155	10024 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.