PDF malware analysis — malicious · 867003cb0eecd3ef

MALICIOUS

PDF

45.3 KB Created: 2020-09-01 19:28:44 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)

MD5: 68526d5e01df8f8727cc8b00f75a6492 SHA-1: 267c6455af4a849dbb8f8fb8c0b9172b16a32235 SHA-256: 867003cb0eecd3ef3a06645e0736cca0c5a61df8d35fed8b266c839475fa914d

120 Risk Score

Malware Insights

MITRE ATT&CK

T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF file contains a heuristic firing for PDF_MALICIOUS_REDIRECTOR_LINK, indicating it points to known malicious infrastructure. The document body, though partially corrupted, contains text suggesting a lure related to "driver test questions and answers pdf" and embeds a URL that redirects to this malicious domain. The PDF also exhibits characteristics of a link farm, with numerous embedded URLs, likely for SEO manipulation or to distribute malicious content.

Heuristics 3

PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK

PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM

Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://ttraff.ru/pify?keyword=driver+test+questions+and+answers+pdf
- https://cdn.shopify.com/s/files/1/0434/2244/9820/files/92677524807.pdf
- https://cdn.shopify.com/s/files/1/0437/5203/0357/files/36174147993.pdf
- https://cdn.shopify.com/s/files/1/0429/6930/1151/files/16316830863.pdf
- https://static.usrfiles.com/ugd/cbdbb6_a4c43c4093184cfcb46b9651de0db0d7.pdf
- https://static.usrfiles.com/ugd/b8c837_d03e226abbb2461e832317b20ef606b8.pdf
- https://static.usrfiles.com/ugd/52b593_d0084484b37846a79ffad074fa3a2afb.pdf
- https://static.usrfiles.com/ugd/b8c837_03d86b7417ca4d8ea362872ef1700ea5.pdf
- https://static.usrfiles.com/ugd/1e4819_6e96cbe7d02d47b790f0b9f8bc91962a.pdf
- https://static.usrfiles.com/ugd/822ecd_5b93ba0fc0594a0da093a4976c8046bc.pdf
- https://static.usrfiles.com/ugd/dc98cc_1f015dc9303049b38637d308f759ece4.pdf
- https://static.usrfiles.com/ugd/b8c837_891e1e417a1c4325ab2beba557355967.pdf
- https://static.usrfiles.com/ugd/b8c837_ea840c07449841309ba662df1533cf19.pdf
- https://static.usrfiles.com/ugd/f84671_43cbff5a4bea42a686c2c8769f33acc5.pdf
- https://static.usrfiles.com/ugd/b8c837_21cc0cae5a5d426ca3d9d6962460034b.pdf
- https://static.usrfiles.com/ugd/565485_0ff4f70e0df0437dbdee8d9e5bd0dc7d.pdf
- https://static.usrfiles.com/ugd/9e14ca_62744a8d8cf14c478e28930398310ed2.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off0000715e.bin` `66e505ebf0fd70dc3969f5d190c05567864212ab924a307b8da3ce28216868fa`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x715E	5280 bytes
`font_01_sfnt_off0000837b.bin` `48adf9c10f0a3937a100d4618852c6562ec3972a432e3e01291bdc5108088c56`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x837B	10792 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.