PDF malware analysis — malicious · 9293262b009233b7

MALICIOUS

PDF

48.0 KB Created: 2020-08-01 21:39:02 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)

MD5: 6051621afe2cb00e3f9236096d80b97e SHA-1: ceb907595f1d96835dc4658b306bad36c5009766 SHA-256: 9293262b009233b7bca19cf11b3baa26aacb17a8d4e9771f136dadf0f72d10fc

120 Risk Score

Malware Insights

MITRE ATT&CK

T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF contains multiple embedded links, with one critical heuristic firing indicating a malicious redirector. The document body, though heavily obfuscated, contains a URL that appears to be the primary lure. This URL leads to a redirector, which is a common technique for delivering malware or phishing pages. The presence of numerous external links, many hosted on Shopify, suggests a link farm used for SEO poisoning or distributing malicious content.

Heuristics 3

PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK

PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM

Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://ttraff.ru/pify?keyword=military+hand+to+hand+combat+manual+pdf
- http://files.svdesignphoto.com/uploads/1/3/1/4/131437453/3fdaa96.pdf
- http://files.marzipan-media.com/uploads/1/3/1/8/131856184/7584706.pdf
- http://files.aimtravelco.voyagerwebsites.com/uploads/1/3/1/4/131438113/jowiji_sikedevi_gonijijez_tetono.pdf
- http://files.uctpracticalnursing.com/uploads/1/3/1/0/131069879/1222186.pdf
- http://files.soyouknow.info/uploads/1/3/1/3/131380440/bigozig.pdf
- https://cdn.shopify.com/s/files/1/0428/6083/9079/files/70012891020.pdf
- https://cdn.shopify.com/s/files/1/0431/3504/1702/files/vuwake.pdf
- https://cdn.shopify.com/s/files/1/0433/0012/6880/files/3423929472.pdf
- https://cdn.shopify.com/s/files/1/0436/0192/0157/files/zoxizixufegoloveximuxo.pdf
- https://cdn.shopify.com/s/files/1/0431/9982/4032/files/35567364040.pdf
- https://cdn.shopify.com/s/files/1/0434/6429/4557/files/22321009770.pdf
- https://cdn.shopify.com/s/files/1/0429/4891/9450/files/23407474129.pdf
- https://cdn.shopify.com/s/files/1/0430/5934/7618/files/31618704475.pdf
- https://cdn.shopify.com/s/files/1/0437/5104/7329/files/43661856524.pdf
- https://cdn.shopify.com/s/files/1/0435/6653/0719/files/vobamu.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/
- https://cdn.shopify.com/s/files/1/0431/9982/4032/files/35567364040

Extracted artifacts 3

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off00006fbd.bin` `b9dc2762ac1e5e45552d742f68d734c00bb3e310ee3108fd2b213afdb4a34538`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x6FBD	5228 bytes
`font_01_sfnt_off00008150.bin` `d059d9607334b9d8eb95e2a449d9745fdf66a8e4c13c0da8a73523f07753b1fe`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x8150	10320 bytes
`font_02_sfnt_off0000a44b.bin` `b50a2106bf82917db0cd3cf88f63c5e8cc3298b343ace5cffc591b35df33d24c`	pdf-font-stream	PDF embedded font (sfnt) at offset 0xA44B	4324 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.