PDF malware analysis — malicious · ad4fe39defe80e8c

MALICIOUS

PDF

37.0 KB Created: 2020-09-20 06:36:00 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)

MD5: 941ce20e63e360cbb340c2d5b780b0aa SHA-1: 568f9004e36df4a4d485e18bba16759951c0e36d SHA-256: ad4fe39defe80e8cbed4e3a2f549deb814ed4bc7370b7da737814e1b6c525e50

140 Risk Score

Malware Insights

MITRE ATT&CK

T1566.002 Spearphishing Attachment T1204.001 User Execution: Malicious Link T1059.001 PowerShell

The PDF contains embedded links that point to known malicious redirectors and a link farm, indicating a distribution or phishing attempt. The document body, though corrupted, contains text related to a 'Relion blood pressure monitor manual' and URLs that suggest a lure to download further malicious content. The presence of a callback phishing lure heuristic further supports the malicious intent.

Heuristics 4

PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK

PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM

Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
Callback phishing phone lure medium SE_CALLBACK_LURE

Document asks the user to call a phone number in billing, refund, subscription, fraud, or security context — consistent with callback phishing or tech-support scam patterns
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://ttraff.me/wix?keyword=relion+blood+pressure+monitor+manual
- http://files.ironantlerforge.com/uploads/1/3/0/7/130775413/3978151.pdf
- http://davibekiw.dchobbitleague.com/uploads/1/3/0/9/130969060/9cffae72db955.pdf
- http://najabivov.preciousinvestltd.com/uploads/1/3/1/0/131070197/ravuwe.pdf
- https://97e494ab-e746-4d43-ba94-8fd660689916.filesusr.com/ugd/a91264_fe1c6ed0afcb423b8694ad0b5edf0f6f.pdf?index=true
- https://79641f46-1ee1-44a5-ae11-5ee2e4ed556b.filesusr.com/ugd/565485_39edc4ebdd94412087ac9e90691790ec.pdf?index=true
- https://45a5eaf3-7707-4c02-b028-b366099a9499.filesusr.com/ugd/a64c8c_b8911504107242e8b02a381b77113b9b.pdf?index=true
- https://e1659f24-4ea4-4e18-bd24-2aff6b2e32c0.filesusr.com/ugd/374ce0_04a4580ceafc44cb906831ed4bd2a0eb.pdf?index=true
- https://cdn.shopify.com/s/files/1/0433/6094/4286/files/automobile_engineering_books_google_drive.pdf
- https://cdn.shopify.com/s/files/1/0438/2579/1136/files/books_by_apostle_joshua_selman.pdf
- https://cdn.shopify.com/s/files/1/0444/4323/8567/files/ielts_writing_task_1_band_descriptors_public_version.pdf
- https://cdn.shopify.com/s/files/1/0436/5818/2809/files/human_body_parts_pictures.pdf
- https://cdn.shopify.com/s/files/1/0428/7135/7596/files/vidowedoxe.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off000051c7.bin` `8102fbaa16466b90ea3f817821fcde7c1eaefc3fb9679ae59aad4bd359197464`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x51C7	5252 bytes
`font_01_sfnt_off00006381.bin` `d4dd4f4388904fc3b438db376fddddbff8833cac1a244c3e3d73c9b923707f7b`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x6381	10412 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.