PDF malware analysis — malicious · 9b86719430a2c6e1

MALICIOUS

PDF

41.4 KB Created: 2020-08-15 02:19:33 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)

MD5: 820e881dbeb0cba7b896ce2ebda0d6e0 SHA-1: a41dc6e8bb162d6b69cad48c46e46451910ded81 SHA-256: 9b86719430a2c6e1e9d4a1d3c821fe56b67b34a0e5ca29fdf6ae3f085d14f6e1

120 Risk Score

Malware Insights

MITRE ATT&CK

T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF file contains multiple embedded links, with a critical heuristic identifying a link to a known malicious redirector. The document body, though partially corrupted, includes the target URL and appears to be a lure for a safety report. The presence of numerous external links, many hosted on Shopify, suggests a link farm or content distribution network used to host malicious documents. No scripts were extracted, and the primary malicious activity observed is the redirection to a suspicious URL.

Heuristics 3

PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK

PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM

Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://ttraff.ru/pify?keyword=hinkley+point+c+pre+construction+safety+report
- http://files.max-russell.com/uploads/1/3/1/6/131637240/romixixixufever-gizukuwatim-lixisinokaku.pdf
- http://files.missannasswimschool.com/uploads/1/3/2/6/132682685/9e0352578749cc3.pdf
- http://zetol.sacramentomarriagecounseling.com/uploads/1/3/2/7/132712062/c96ba063576510.pdf
- http://lepugomu.atticsalt.org/uploads/1/3/1/4/131453723/e53b60.pdf
- http://files.gienekeyeshomes.com/uploads/1/3/1/3/131398423/84066af0cd.pdf
- https://cdn.shopify.com/s/files/1/0431/9825/1165/files/badosodixipoj.pdf
- https://cdn.shopify.com/s/files/1/0434/6016/5797/files/44657920367.pdf
- https://cdn.shopify.com/s/files/1/0440/6748/7894/files/an_inspector_calls_revision_booklet.pdf
- https://cdn.shopify.com/s/files/1/0439/5591/2862/files/hwang_jin_yi.pdf
- https://cdn.shopify.com/s/files/1/0430/3237/9545/files/92025030748.pdf
- https://cdn.shopify.com/s/files/1/0431/0564/8791/files/lonofulovisuzi.pdf
- https://cdn.shopify.com/s/files/1/0430/5649/6791/files/zosafozemojima.pdf
- https://cdn.shopify.com/s/files/1/0434/3277/1750/files/lavepebapolexurewojaxuza.pdf
- https://cdn.shopify.com/s/files/1/0435/3156/7256/files/wufanetigukovineve.pdf
- https://cdn.shopify.com/s/files/1/0437/3217/2965/files/jimoxoku.pdf
- https://cdn.shopify.com/s/files/1/0432/8371/0108/files/9526356370.pdf
- https://cdn.shopify.com/s/files/1/0447/9241/4369/files/free_aol_games.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off000064eb.bin` `c2f78cf0b5d5868a6a3558851806261b5ecf0a2b7efc596c24a195db18914baa`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x64EB	5136 bytes
`font_01_sfnt_off00007679.bin` `bd767f898bf957f0d5a2b8da84c8a44d8a6b4a3e1e3a13024428b3b8c5a8f532`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x7679	9908 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.