PDF malware analysis — malicious · 8ba3fcd75f479878

MALICIOUS

PDF

50.7 KB Created: 2020-08-23 01:09:39 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)

MD5: 1aac3a0cab716b08b60ac763261a09a6 SHA-1: ed49f611529aa261fa4ca279250da7056ced6b20 SHA-256: 8ba3fcd75f479878cb30881f8287302ce83d4dcf72d72aff16bd0a58ffaeba2e

160 Risk Score

Malware Insights

MITRE ATT&CK

T1204.002 Malicious Link T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF file contains a link farm and a specific malicious redirector URL, suggesting a phishing or scam attempt. The document body, though heavily obfuscated, contains the malicious URL and a lure for 'ableton live mac free'. The heuristic firings confirm the presence of malicious redirector links and a link farm, and also indicate instructions to disable security software, which is a strong indicator of malicious intent. No scripts were extracted from this sample.

Heuristics 4

PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK

PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM

Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
Security software disable instruction high SE_SECURITY_BYPASS

Document instructs the user to disable antivirus or security software — unusual for ordinary documents and high-risk in an unsolicited file
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://ttraff.cc/pify?keyword=ableton+live++mac+free
- http://nubuz.desertblossomshop.com/uploads/1/3/2/3/132302842/mugotatekegored.pdf
- http://lotaj.ohiobudokan.org/uploads/1/3/0/7/130775841/ledunirefetozilid.pdf
- http://files.barronparkpreschool.com/uploads/1/3/2/6/132682090/96710796.pdf
- http://files.tlamcivics.com/uploads/1/3/0/7/130738779/f33866f2c41e859.pdf
- http://files.tlamcivics.com/uploads/1/3/0/7/130
- https://cdn.shopify.com/s/files/1/0431/4395/4594/files/venamaxaledoz.pdf
- https://cdn.shopify.com/s/files/1/0436/6427/7657/files/stream_processing_with_apache_flink_github.pdf
- https://cdn.shopify.com/s/files/1/0432/7853/2758/files/luxenetomelirif.pdf
- https://cdn.shopify.com/s/files/1/0431/7914/7430/files/geperuruvitofigujube.pdf
- https://cdn.shopify.com/s/files/1/0436/4877/8400/files/bawiwamewegoj.pdf
- https://cdn.shopify.com/s/files/1/0431/4864/0418/files/21758868924.pdf
- https://cdn.shopify.com/s/files/1/0434/1612/5590/files/1100252729.pdf
- https://cdn.shopify.com/s/files/1/0432/4953/3088/files/niwulirubezoxixafubixuza.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 3

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off0000722e.bin` `ba15b85e8550363f705061a4f950d1b6e0b1857a176ea474614a51f76e97fda5`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x722E	5040 bytes
`font_01_sfnt_off0000833f.bin` `72dff2314c3e82e2a795f52780fef5cffb0f7e66dd5fc0ea6b8ae350e1e5003b`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x833F	10644 bytes
`font_02_sfnt_off0000a7ea.bin` `684a3c196e802b4dc45ee85e0d12f41c83d6b6c6a55a83cec5fb8e332ee9aa36`	pdf-font-stream	PDF embedded font (sfnt) at offset 0xA7EA	16376 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.