PDF malware analysis — malicious · 8c4903faf96d79c3

MALICIOUS

PDF

45.7 KB Created: 2020-10-03 21:09:16 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)

MD5: 8bf249679f79559777e1212af8d3a4e0 SHA-1: 0ea1505f3451d6af83f9267e79ba7015c19f701c SHA-256: 8c4903faf96d79c3491935d959584d441adb6c31ab28f622a4d847222de00bb8

120 Risk Score

Malware Insights

MITRE ATT&CK

T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF file contains a mass external link farm, with one URL pointing to a known malicious redirector. The document body, though heavily obfuscated, contains text related to hotel check-in times and URLs, suggesting a lure to a phishing or scam page. The primary malicious indicator is the redirector URL, which is designed to lead users to further malicious content.

Heuristics 3

PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK

PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM

Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://ttraff.cc/pify?keyword=sonesta+es+suites+flagstaff+check+in+time
- http://gotuxu.sophiesparks.com/uploads/1/3/2/7/132710784/togol-wukijuk.pdf
- http://files.americanfoursquare.us/uploads/1/3/2/7/132740218/majibomavapakabopi.pdf
- http://files.sukiscaninerescuecrew.com/uploads/1/3/0/7/130775398/nivenezoru_pirul_vinego.pdf
- https://uploads.strikinglycdn.com/files/352a4c2d-08e8-41f5-baef-99cbc13dbaa9/tuzidofavelijuvopatuja.pdf
- https://uploads.strikinglycdn.com/files/65acc80e-058e-4ffd-8724-88db13fa6e9c/32926108638.pdf
- https://uploads.strikinglycdn.com/files/1f836501-9b22-485e-ad1f-c549841513ea/2362384578.pdf
- https://uploads.strikinglycdn.com/files/1c970269-903c-486f-a6fd-b799700715e4/91091356330.pdf
- https://uploads.strikinglycdn.com/files/7ce57769-b821-4223-aa0c-fdc66592e257/vadekivafijazapiwexa.pdf
- https://uploads.strikinglycdn.com/files/19000073-a861-4d70-b517-a924d6d61f5b/38312085615.pdf
- https://uploads.strikinglycdn.com/files/4dcc7ad0-5408-4ca6-b87c-40e2be7dcaa0/97622768587.pdf
- https://uploads.strikinglycdn.com/files/1ecce8e5-8924-4693-bc8d-b0243d47168f/kodepajebutajukaxoz.pdf
- https://uploads.strikinglycdn.com/files/cc4f27ce-54a9-4cef-89c6-47321e7dd759/jomen.pdf
- https://uploads.strikinglycdn.com/files/c922011d-31e3-4305-93a3-c57388dcb673/31141902611.pdf
- https://uploads.strikinglycdn.com/files/6e3aeea8-761f-4a7e-95e3-9128a4a8d661/zeped.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 3

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off000068da.bin` `2592ada88f8c8ae59ada91df6c406d35440110cfba013461a27ca2d030ce0ae4`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x68DA	5248 bytes
`font_01_sfnt_off00007a8a.bin` `67cb60a4eb2dc32c423c89dee82140e57d651c3ddffe77b0f495c9248f64a8a5`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x7A8A	9620 bytes
`font_02_sfnt_off00009b6c.bin` `4fcfa7c68d76e23b667942a3ac892d2d5d88346478daafc61479ad4df4af3dd3`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x9B6C	4324 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.