PDF malware analysis — malicious · 927984a411325a7f

MALICIOUS

PDF

55.8 KB Created: 2020-08-07 13:54:34 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)

MD5: 85de60df970024de25064568f58e5894 SHA-1: 5a5aa33b3f708e37cb9a34aab189e062013bb446 SHA-256: 927984a411325a7f1a60bab73e78eae594f136266e83bd9432451b13e003b079

120 Risk Score

Malware Insights

MITRE ATT&CK

T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF file contains a large number of embedded links, many pointing to Shopify domains hosting other PDFs, and a primary link to a known malicious redirector. This indicates a link farm or redirection attack designed to lead users to malicious content. The document body is heavily obfuscated and contains the primary malicious URL, suggesting it's part of a lure to encourage clicks on the embedded links.

Heuristics 3

PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK

PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM

Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://ttraff.com/pify?keyword=beethoven+appassionata+pdf
- http://vafeg.markmcevoylegacyfoundation.org/uploads/1/3/1/4/131437601/928b1becfdf649d.pdf
- http://files.epitomewellness.net/uploads/1/3/2/7/132712129/5465648.pdf
- http://files.napsautosales.com/uploads/1/3/2/6/132681342/busexewuvuwa.pdf
- http://files.thehanoverclub.com/uploads/1/3/1/3/131398182/22090.pdf
- http://files.fancyfootworkreflexology.com/uploads/1/3/1/4/131455463/5719629.pdf
- https://cdn.shopify.com/s/files/1/0428/8777/4367/files/2651673544.pdf
- https://cdn.shopify.com/s/files/1/0430/7209/4362/files/86454831089.pdf
- https://cdn.shopify.com/s/files/1/0433/6982/4414/files/rewunezabejani.pdf
- https://cdn.shopify.com/s/files/1/0435/9543/2099/files/38759458795.pdf
- https://cdn.shopify.com/s/files/1/0434/6671/9385/files/jordan_cc_sims_4.pdf
- https://cdn.shopify.com/s/files/1/0431/0820/4704/files/tic_tac_toe_in_java.pdf
- https://cdn.shopify.com/s/files/1/0435/7816/3359/files/critical_thinking_worksheets_for_1st_grade.pdf
- https://cdn.shopify.com/s/files/1/0438/9906/0392/files/noropi.pdf
- https://cdn.shopify.com/s/files/1/0440/0440/9494/files/internet_essentials_comcast.pdf
- https://cdn.shopify.com/s/files/1/0434/7641/8713/files/26869275775.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 4

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off00007a8d.bin` `d588174ef68f1ba42e0e669dc6066996e47fab300f45576c7680215ef4b08f42`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x7A8D	4896 bytes
`font_01_sfnt_off00008b2f.bin` `c40b9c10605a393a4fa98244ece0378e0370c4e2c500f4bf0a1c309ed46becf0`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x8B2F	10320 bytes
`font_02_sfnt_off0000aeab.bin` `fb7b45e24c28c4473d0ca1c6410c593992d9a809009f9c41b5ae32c9142507dd`	pdf-font-stream	PDF embedded font (sfnt) at offset 0xAEAB	16120 bytes
`font_03_sfnt_off0000c393.bin` `b50a2106bf82917db0cd3cf88f63c5e8cc3298b343ace5cffc591b35df33d24c`	pdf-font-stream	PDF embedded font (sfnt) at offset 0xC393	4324 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.