PDF malware analysis — malicious · a8d6a79b4ae8d711

MALICIOUS

PDF

50.0 KB Created: 2020-08-15 21:40:09 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)

MD5: 7379a99b33d82681fb5d062e33592b45 SHA-1: 54033733442884c23603eef9a5755ac0d1d7fec9 SHA-256: a8d6a79b4ae8d71129b816f914c1828e8a66ef4dcd19f5cca1c8f6e97843ee1a

128 Risk Score

Malware Insights

MITRE ATT&CK

T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF file contains embedded links, one of which, 'https://ttraff.cc/wb?keyword=nigeria%20visa%20application%20form%20pdf', is identified as a malicious redirector. The document body, though heavily corrupted, appears to be a lure related to a 'Nigeria visa application form'. The presence of numerous external PDF links, many hosted on cdn.shopify.com, suggests a link farm strategy to obscure the malicious redirector. No scripts were extracted from this sample.

Heuristics 4

PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK

PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM

Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
Fake invoice / payment lure low SE_INVOICE_LURE

Document contains invoice or payment language paired with an action verb — useful context when combined with link, macro, or attachment indicators
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://ttraff.cc/wb?keyword=nigeria%20visa%20application%20form%20pdf
- http://files.christinafrancescabutera.com/uploads/1/3/1/4/131453651/3256393.pdf
- http://files.mofouad.com/uploads/1/3/1/8/131871433/rafapuxiloriji.pdf
- https://cdn.shopify.com/s/files/1/0431/6797/3538/files/alphabet_anglais_prononciation.pdf
- https://cdn.shopify.com/s/files/1/0428/7974/6201/files/vaccine_cold_chain_management.pdf
- https://cdn.shopify.com/s/files/1/0427/5834/0774/files/nolemegimikonubefakag.pdf
- https://cdn.shopify.com/s/files/1/0427/5837/3542/files/pdf_to_word_ocr_converter_download.pdf
- https://cdn.shopify.com/s/files/1/0427/5293/4044/files/14540833489.pdf
- https://cdn.shopify.com/s/files/1/0448/3586/4736/files/workshop_registration_form_template_doc.pdf
- https://cdn.shopify.com/s/files/1/0435/5679/8627/files/tosew.pdf
- https://cdn.shopify.com/s/files/1/0433/0687/7080/files/55497749658.pdf
- https://cdn.shopify.com/s/files/1/0430/3493/5447/files/mujolenusedon.pdf
- https://cdn.shopify.com/s/files/1/0430/6183/7981/files/88711945304.pdf
- https://cdn.shopify.com/s/files/1/0438/4758/1856/files/petarerasenofatizo.pdf
- https://cdn.shopify.com/s/files/1/0432/0601/7185/files/co_worker_synonym.pdf
- https://cdn.shopify.com/s/files/1/0428/4982/9023/files/vukidafitemazot.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off000078ed.bin` `22f7697e344b583b9351aec72ed1644ce6321bc0bdb1e2558ccca39fef48181e`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x78ED	5504 bytes
`font_01_sfnt_off00008b96.bin` `61aed79a551e8710aeb03adafa85964d269b9751824b0164618a5a4834810be9`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x8B96	15376 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.