PDF malware analysis — malicious · 9427b82f674eb5cb

MALICIOUS

PDF

44.2 KB Created: 2020-08-02 19:00:33 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)

MD5: 6f5d976380e47d034435f963908f0ac8 SHA-1: 167245d6091feac613ce18513a9f94ce191ed50d SHA-256: 9427b82f674eb5cba677c4fa7c8ed608a82e11a34785155045149e545c1cfbfd

120 Risk Score

Malware Insights

MITRE ATT&CK

T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF contains a significant number of embedded links, many pointing to Shopify domains hosting other PDFs, and one critical link to a known malicious redirector. This suggests a tactic to lure users to malicious sites or to manipulate search engine results. The presence of the redirector URL indicates an attempt to deliver a secondary payload or phish for credentials.

Heuristics 3

PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK

PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM

Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://ttraff.cc/pify?keyword=poe+chaos+orb
- http://files.nwhsfootball.com/uploads/1/3/0/7/130739204/3249396.pdf
- http://files.spmauzyandassociates.com/uploads/1/3/2/6/132695829/f94b72cc.pdf
- http://files.atomysupport.com/uploads/1/3/1/0/131070238/7ac70ec962.pdf
- https://cdn.shopify.com/s/files/1/0436/0624/5539/files/3790933045.pdf
- https://cdn.shopify.com/s/files/1/0437/8394/6397/files/26531936265.pdf
- https://cdn.shopify.com/s/files/1/0435/0961/2712/files/summoning_calculator_rs3.pdf
- https://cdn.shopify.com/s/files/1/0427/8288/4006/files/49578842238.pdf
- https://cdn.shopify.com/s/files/1/0438/3480/2333/files/nupenuberek.pdf
- https://cdn.shopify.com/s/files/1/0431/9094/3902/files/gotiviwolamopirasa.pdf
- https://cdn.shopify.com/s/files/1/0432/0978/5499/files/wuvafudamutagosilok.pdf
- https://cdn.shopify.com/s/files/1/0437/4292/0869/files/75917984678.pdf
- https://cdn.shopify.com/s/files/1/0429/9109/1875/files/10925411662.pdf
- https://cdn.shopify.com/s/files/1/0433/8781/4044/files/80361944143.pdf
- https://cdn.shopify.com/s/files/1/0430/6278/8245/files/fuvebabalulusukorebuk.pdf
- https://cdn.shopify.com/s/files/1/0429/9866/1279/files/71664027683.pdf
- https://cdn.shopify.com/s/files/1/0437/6117/2631/files/kitosixafatidomev.pdf
- https://cdn.shopify.com/s/files/1/0429/7120/1695/files/jewifeberen.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 3

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off00006290.bin` `a270ed0a96ecbe4b21b36b4fbc02e018eb77fa43bdfc715f6654cb9557e4d8c1`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x6290	4548 bytes
`font_01_sfnt_off000071fe.bin` `fcce93748767a4bdc92b93e1276422a8be9420d9390b5dcc96c326d7b0770d42`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x71FE	10604 bytes
`font_02_sfnt_off00009630.bin` `7f6049e5011acf0e8581793f2bc2bb947aac2929fdb77abc318b2a6155c1ef71`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x9630	4324 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.