PDF malware analysis — malicious · b276dd0dec7c4a0b

MALICIOUS

PDF

72.1 KB Created: 2020-08-07 04:33:21 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)

MD5: 71a3d6a4e04d72266a510cf0c3ad7abe SHA-1: ec5ea143d8b16287e61e44bee03a513613b5c1de SHA-256: b276dd0dec7c4a0b0907ce5be847bc62ef1de315c1735fd1f330a9bf7dff6f4d

128 Risk Score

Malware Insights

MITRE ATT&CK

T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF file contains multiple embedded links, with one identified as a malicious redirector. The document body, though heavily obfuscated, contains the same URL as the malicious redirector, suggesting it is the primary lure. The presence of a large number of external PDF links, many hosted on Shopify, indicates a link farm designed to improve search engine ranking for malicious content. The heuristic firings confirm the malicious redirector and the link farm, supporting the conclusion that this is a phishing or malware distribution attempt.

Heuristics 4

PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK

PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM

Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
Urgency / deadline lure low SE_URGENCY_LURE

Document contains urgency or deadline language ('account will be terminated', 'action required within 24 hours', etc.) — useful context, but low-signal without other findings
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://ttraff.com/pify?keyword=cetoacidosis+diabetica+vs+estado+hiperosmolar+pdf
- http://files.en.lofos-apartments.com/uploads/1/3/0/8/130813827/c4687.pdf
- http://files.kelseysmarina.com/uploads/1/3/0/7/130775498/3c70d.pdf
- http://jipakete.lovelifesex.org/uploads/1/3/1/0/131070420/f423c05.pdf
- https://cdn.shopify.com/s/files/1/0431/3884/2779/files/4709379777.pdf
- https://cdn.shopify.com/s/files/1/0434/7510/7992/files/cat_3116_specs.pdf
- https://cdn.shopify.com/s/files/1/0430/6262/4405/files/rumetebe.pdf
- https://cdn.shopify.com/s/files/1/0431/7007/0690/files/alimentos_para_diabeticos_e_hipertensos.pdf
- https://cdn.shopify.com/s/files/1/0434/8372/5990/files/gaddis_java.pdf
- https://cdn.shopify.com/s/files/1/0431/3972/7521/files/sezuzapigofolabonozux.pdf
- https://cdn.shopify.com/s/files/1/0431/0777/8711/files/kasozin.pdf
- https://cdn.shopify.com/s/files/1/0431/2717/7380/files/95813561580.pdf
- https://cdn.shopify.com/s/files/1/0429/5720/9753/files/visowidox.pdf
- https://cdn.shopify.com/s/files/1/0436/4002/9344/files/36294398913.pdf
- https://cdn.shopify.com/s/files/1/0435/3956/2645/files/swedish_death_metal_bands.pdf
- https://cdn.shopify.com/s/files/1/0434/0360/8214/files/xowofejon.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off0000cf33.bin` `1ed890095e816c7a30dec6afa203aa0c7e13d4442bdb31201b27bc04b863e369`	pdf-font-stream	PDF embedded font (sfnt) at offset 0xCF33	5500 bytes
`font_01_sfnt_off0000e1bd.bin` `a57c8ad15661c5466adbefe386a2cb49ec33460f1de3addf7d2a6a2645db0d77`	pdf-font-stream	PDF embedded font (sfnt) at offset 0xE1BD	15368 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.