PDF malware analysis — malicious · 87ed1cf0572f2bc2

MALICIOUS

PDF

55.8 KB Created: 2020-07-12 17:58:57 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)

MD5: 4903b3ffb060f4904c714138f642cc8f SHA-1: 3af717e1395b7d74f2e7892ca1c440c5335fc72f SHA-256: 87ed1cf0572f2bc2885bec35e0d97bb89778fa279592bc0f0c413e454a136991

120 Risk Score

Malware Insights

MITRE ATT&CK

T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF contains a large number of embedded links, identified as a link farm. One of these links, 'https://ttraff.com/wb?keyword=1001%20nights%20story%20pdf', is flagged as a malicious redirector. The document body, though heavily obfuscated, contains references to the malicious URL and other PDF links, suggesting a lure to download further malicious content or visit malicious sites. The heuristic firings strongly indicate a malicious intent to redirect users to harmful infrastructure.

Heuristics 3

PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK

PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM

Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://ttraff.com/wb?keyword=1001%20nights%20story%20pdf
- http://files.heartsofhorsehaven.org/uploads/1/3/2/6/132681916/jawuderuniwalu_duliguxa.pdf
- http://files.madlyeclectic.com/uploads/1/3/1/4/131483253/nuwitoduku_xafozovininu_lekilirox_navagad.pdf
- http://files.lm2go.com/uploads/1/3/1/8/131856713/5486656.pdf
- http://files.mectacprinstructor.com/uploads/1/3/1/4/131437740/2f469132278.pdf
- http://files.casaofcentraloregon.org/uploads/1/3/1/1/131164398/8127608.pdf
- http://files.jamesedwardhughes.com/uploads/1/3/0/8/130814387/5962757.pdf
- https://fodibak.files.wordpress.com/2020/07/36924369384.pdf
- https://zodizijemas.files.wordpress.com/2020/06/rezatoludoreledama.pdf
- https://bujavam.files.wordpress.com/2020/06/vavanokibofobibubupokisur.pdf
- https://cdn.shopify.com/s/files/1/0433/0687/7080/files/38664456414.pdf
- https://cdn.shopify.com/s/files/1/0432/1358/6596/files/dutavubakukewamukevagiba.pdf
- https://cdn.shopify.com/s/files/1/0430/1740/4573/files/49133996835.pdf
- https://cdn.shopify.com/s/files/1/0433/0687/7080/files/kevesuladufutaniwor.pdf
- https://cdn.shopify.com/s/files/1/0433/0687/7080/files/zimupumunilojoduwa.pdf
- https://cdn.shopify.com/s/files/1/0433/3866/2053/files/8789435001.pdf
- https://cdn.shopify.com/s/files/1/0433/0687/7080/files/17612659915.pdf
- https://cdn.shopify.com/s/files/1/0428/9835/8432/files/87294954422.pdf
- https://cdn.shopify.com/s/files/1/0429/5937/2439/files/88057795610.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off00009de9.bin` `a3d6a60e1ae0085bc832ed93570187936ed651307196eb4fe81039c395328031`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x9DE9	4932 bytes
`font_01_sfnt_off0000aea4.bin` `9489a87654dc7a54de3d4da567636e6b6ad490f9402dc179617a80c38aa9875b`	pdf-font-stream	PDF embedded font (sfnt) at offset 0xAEA4	10632 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.