PDF malware analysis — malicious · 91c64d6c7da915f9

MALICIOUS

PDF

50.3 KB Created: 2020-08-19 09:08:32 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)

MD5: 63feca54ddb7ffce2c632ff1593e2bfd SHA-1: d208f7d437263f1052704eef2698f94b03e51199 SHA-256: 91c64d6c7da915f9a4056c429d03b384fbdebfdabde312c60360aff1185307e8

140 Risk Score

Malware Insights

MITRE ATT&CK

T1566.002 Spearphishing Attachment T1059.001 PowerShell T1204.002 Malicious Link

The PDF contains a link farm and a specific malicious redirector URL, indicating an attempt to direct users to potentially harmful content. The heuristic 'SE_CALLBACK_LURE' suggests a social engineering pretext, possibly related to fake billing or subscription issues, to encourage user interaction with the malicious links. The document body itself is heavily obfuscated and contains the malicious redirector URL, reinforcing the attack pattern.

Heuristics 4

PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK

PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM

Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
Callback phishing phone lure medium SE_CALLBACK_LURE

Document asks the user to call a phone number in billing, refund, subscription, fraud, or security context — consistent with callback phishing or tech-support scam patterns
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://ttraff.ru/pify?keyword=traffic+report+betsy+ross+bridge
- http://files.christiefencing.co.uk/uploads/1/3/1/4/131408024/botulizulubi.pdf
- http://files.agricolacuvelier.com/uploads/1/3/1/4/131452836/46cdb03.pdf
- http://files.mamajourneys.com/uploads/1/3/1/1/131163540/70e183e2b8.pdf
- http://sajulo.trlegacypartnership.org/uploads/1/3/1/4/131437987/0d5b19c157.pdf
- https://cdn.shopify.com/s/files/1/0428/9508/1635/files/76142386381.pdf
- https://cdn.shopify.com/s/files/1/0435/2029/5064/files/72364512252.pdf
- https://cdn.shopify.com/s/files/1/0428/3393/6547/files/kamopifegetanarepem.pdf
- https://cdn.shopify.com/s/files/1/0430/6596/6754/files/zesagoloj.pdf
- https://cdn.shopify.com/s/files/1/0430/9712/9109/files/zibiwogogoxazogilukuve.pdf
- https://cdn.shopify.com/s/files/1/0437/7732/7265/files/gukenarukukenivorod.pdf
- https://cdn.shopify.com/s/files/1/0435/4929/4756/files/71028824608.pdf
- https://cdn.shopify.com/s/files/1/0429/2457/2835/files/vimorifawasikal.pdf
- https://cdn.shopify.com/s/files/1/0431/7052/9436/files/little_rascal_scooter.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 3

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off00007864.bin` `b1ac668c847fbd327cde0cc2104a559bd8acaa1568d95f0adf3b6921d27b977a`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x7864	5164 bytes
`font_01_sfnt_off000089fe.bin` `5525f357b0f9d3db23fb3271580e6d6fae093ee81e936257f3f2748e84eb16c9`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x89FE	10620 bytes
`font_02_sfnt_off0000ae6a.bin` `d1f4a20f0e35a0564be54678b929bb8c711862c507f070c2b9a6abea8daf4378`	pdf-font-stream	PDF embedded font (sfnt) at offset 0xAE6A	4324 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.