PDF malware analysis — malicious · 981d6b5c6f972e1b

MALICIOUS

PDF

75.8 KB Created: 2020-07-24 23:59:40 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)

MD5: 7b2d05c710db99f7813aae3a2e2ff57a SHA-1: 2871649dd113df3ef34dc70aa074545d15d40ff5 SHA-256: 981d6b5c6f972e1b952dc67a420d08a6ec329cc81b9d5cd6867c39482f43c605

160 Risk Score

Malware Insights

MITRE ATT&CK

T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF contains a heuristic firing for a malicious redirector link and a link farm, indicating it's designed to lead users to external malicious content. The document body, though heavily obfuscated, contains keywords suggestive of an advance-fee scam, further supported by the 'SE_ADVANCE_FEE_SCAM_LURE' heuristic. The primary malicious IOC is the redirector URL, which likely serves as the entry point for further malicious activity.

Heuristics 4

PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK

PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM

Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
Advance-fee lottery/parcel scam lure high SE_ADVANCE_FEE_SCAM_LURE

Document contains lottery/beneficiary or prize language together with large-value draft/funds wording and parcel/courier delivery requirements. This is a classic advance-fee fraud document shape.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://ttraff.cc/pify?keyword=gangster+movie++full
- http://files.heresthedeal.co/uploads/1/3/0/9/130969689/tedavoxavu.pdf
- http://files.fieldstonefinancialinc.com/uploads/1/3/0/8/130813111/bedejenikufub.pdf
- http://files.adityagreens.com/uploads/1/3/0/7/130775922/3866e5bb68694.pdf
- http://files.globallearningadventures.com/uploads/1/3/1/3/131381376/1989315.pdf
- https://cdn.shopify.com/s/files/1/0436/6319/6310/files/xewegemunedoriwekewadu.pdf
- https://cdn.shopify.com/s/files/1/0428/9835/8432/files/kofuka.pdf
- https://cdn.shopify.com/s/files/1/0429/6255/0940/files/jilabudiwidebe.pdf
- https://cdn.shopify.com/s/files/1/0431/3962/9218/files/81433569110.pdf
- https://cdn.shopify.com/s/files/1/0431/0820/4704/files/jorugumovagarulu.pdf
- https://cdn.shopify.com/s/files/1/0429/9299/2410/files/mikinalutigeriku.pdf
- https://cdn.shopify.com/s/files/1/0438/9571/8040/files/98378236334.pdf
- https://cdn.shopify.com/s/files/1/0432/5271/1586/files/25491096402.pdf
- https://cdn.shopify.com/s/files/1/0434/9755/4084/files/72923448462.pdf
- https://cdn.shopify.com/s/files/1/0433/2843/8427/files/xoxevetoxerujivake.pdf
- https://cdn.shopify.com/s/files/1/0432/5523/4710/files/sapomibuxojudedewalupo.pdf
- https://cdn.shopify.com/s/files/1/0429/6671/2479/files/pibinebavej.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off0000ebe0.bin` `0a7659905c82ccdbd02badd426f65050cbd954924e7df8f4124109669aee5d34`	pdf-font-stream	PDF embedded font (sfnt) at offset 0xEBE0	5060 bytes
`font_01_sfnt_off0000fd10.bin` `7e5e1ebc8e7281d68d3ec3d71dd98140615c76073229926bd49d6e46078e3833`	pdf-font-stream	PDF embedded font (sfnt) at offset 0xFD10	10756 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.