PDF malware analysis — malicious · abed845cfe7dabcf

MALICIOUS

PDF

58.0 KB Created: 2020-08-29 21:39:56 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)

MD5: 94dcd6b22f2cf598cd09e3baf30b9e12 SHA-1: 6140e1bb2a5aeaa55a8acf7ec3cdc8784369ad2d SHA-256: abed845cfe7dabcf12b1d6d950f4bcb9bcb637e67556f6542ac4226ed5741f09

128 Risk Score

Malware Insights

MITRE ATT&CK

T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF file contains embedded links, one of which points to a known malicious redirector. The document body text and heuristic firings indicate a lure related to 'cash payment voucher format excel'. The presence of numerous links to external PDFs, many hosted on Shopify, suggests a link farm used for SEO poisoning or to obscure the final malicious destination. No scripts were extracted from this sample.

Heuristics 4

PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK

PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM

Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
Fake invoice / payment lure low SE_INVOICE_LURE

Document contains invoice or payment language paired with an action verb — useful context when combined with link, macro, or attachment indicators
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://ttraff.cc/wix?keyword=cash+payment+voucher+format+excel
- https://cdn.shopify.com/s/files/1/0428/9835/8432/files/xuvekalododit.pdf
- https://cdn.shopify.com/s/files/1/0432/1322/6139/files/54997565532.pdf
- https://cdn.shopify.com/s/files/1/0437/4288/8097/files/que_es_balance_de_materia_y_energia.pdf
- https://cdn.shopify.com/s/files/1/0434/0963/7533/files/21789015437.pdf
- https://cdn.shopify.com/s/files/1/0427/8845/4559/files/weweniwe.pdf
- https://cdn.shopify.com/s/files/1/0433/9567/8359/files/ucsd_cape_results.pdf
- https://cdn.shopify.com/s/files/1/0429/7133/2767/files/49106652300.pdf
- https://cdn.shopify.com/s/files/1/0427/4572/5094/files/puvoxenajusizokejatodebav.pdf
- https://static.usrfiles.com/ugd/b8c837_59da4d82b3f7489ba22734dd22dd03bd.pdf
- https://static.usrfiles.com/ugd/b8c837_946623de2c8d4ae1bfa3c9e658859ce4.pdf
- https://cdn.shopify.com/s/files/1/0437/7244/4823/files/movies_telugu_new_2019.pdf
- https://cdn.shopify.com/s/files/1/0428/7073/5014/files/biodata_format_with_photo.pdf
- https://cdn.shopify.com/s/files/1/0436/9442/4232/files/78033781547.pdf
- https://cdn.shopify.com/s/files/1/0433/8001/5271/files/vba_cdate_format.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 3

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off00009ab1.bin` `dd7b880f1c6958317b71933e3175eb4154b1281d355b69180e4ce829e506ee21`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x9AB1	2828 bytes
`font_01_sfnt_off0000a4ab.bin` `9a7b8b513a25ef7dcccba2659ab1ed2555f372e52623b6a0e50ec1bbba88393b`	pdf-font-stream	PDF embedded font (sfnt) at offset 0xA4AB	5388 bytes
`font_02_sfnt_off0000b6e8.bin` `dcb4f0383a6045f2d900c159d98d381042fc4ec0461d6ed79e2e53e3d64f8a3f`	pdf-font-stream	PDF embedded font (sfnt) at offset 0xB6E8	9980 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.