PDF malware analysis — malicious · a33284e8d0668fc9

MALICIOUS

PDF

58.4 KB Created: 2020-07-30 02:55:17 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)

MD5: e3ff944be33e3c25832bf7a49d7e0775 SHA-1: 70193f5cef839dd6af1965c04ed5878cfb2f6487 SHA-256: a33284e8d0668fc9381e5ee5339f8cef16f1df976dbc06ae129cb51b78a8b3bb

142 Risk Score

Malware Insights

MITRE ATT&CK

T1566.002 Spearphishing Attachment T1059.001 PowerShell T1204.002 Malicious Link

The PDF contains multiple embedded links, with one specifically pointing to a known malicious redirector. The document body, though heavily obfuscated, suggests a lure related to 'Apollo munich health insurance form pdf', aligning with phishing or scam tactics. The presence of numerous links, including a link farm, indicates an attempt to distribute malicious content or drive traffic to compromised sites.

Heuristics 4

PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK

PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM

Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
Callback phishing phone lure medium SE_CALLBACK_LURE

Document asks the user to call a phone number in billing, refund, subscription, fraud, or security context — consistent with callback phishing or tech-support scam patterns
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://ttraff.com/pify?keyword=apollo+munich+health+insurance+form+pdf
- http://files.alissa-harrison-portfolio.com/uploads/1/3/1/4/131452952/f5be206b369d8cb.pdf
- http://files.acuartistry.com/uploads/1/3/1/6/131606688/miritawamodemir_tavinese_giwit_lexazita.pdf
- http://files.mywynfield.com/uploads/1/3/2/3/132302871/4819150.pdf
- http://files.letsdansky.com/uploads/1/3/2/7/132740949/derusazape.pdf
- http://files.alissa-harrison-portfolio.com/uploads/1/3
- https://cdn.shopify.com/s/files/1/0430/4440/5397/files/20677891491.pdf
- https://cdn.shopify.com/s/files/1/0430/4686/3005/files/21441921555.pdf
- https://cdn.shopify.com/s/files/1/0431/1954/2434/files/razof.pdf
- https://cdn.shopify.com/s/files/1/0432/9806/2501/files/43958245498.pdf
- https://cdn.shopify.com/s/files/1/0428/9835/8432/files/3789128943.pdf
- https://cdn.shopify.com/s/files/1/0431/0610/7552/files/35362843850.pdf
- https://cdn.shopify.com/s/files/1/0428/0628/0355/files/65411066102.pdf
- https://cdn.shopify.com/s/files/1/0435/5457/0399/files/bufuvosake.pdf
- https://cdn.shopify.com/s/files/1/0433/0687/7080/files/4274895189.pdf
- https://cdn.shopify.com/s/files/1/0429/5252/3929/files/pesutuvexedotafitud.pdf
- https://cdn.shopify.com/s/files/1/0432/8266/1526/files/48724664176.pdf
- https://cdn.shopify.com/s/files/1/0431/2920/8992/files/44112512564.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off0000a5e5.bin` `14e8c94b54c508613d2d2a55fe3a456e06b00ab1042549395d8d873b256f0d7f`	pdf-font-stream	PDF embedded font (sfnt) at offset 0xA5E5	5264 bytes
`font_01_sfnt_off0000b78f.bin` `5426fe4d0e31b49f61252c04705870b86020a820b4b2bd92227c7c19d9a4f2d2`	pdf-font-stream	PDF embedded font (sfnt) at offset 0xB78F	11068 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.