PDF malware analysis — malicious · b28dd55a908e99e9

MALICIOUS

PDF

44.7 KB Created: 2020-08-05 05:08:25 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)

MD5: 756213473ab5d07da31d85f876b3181b SHA-1: 570e7215a3d61f853c8f3ba8a167b0d25fc4cd18 SHA-256: b28dd55a908e99e9ac891be479f85d0ff43573dd39e95e4528b00896693a460a

120 Risk Score

Malware Insights

MITRE ATT&CK

T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF document contains a lure promising a free coloring book, but embeds a link to a known malicious redirector. The redirector is configured with a keyword that suggests a search engine optimization (SEO) based lure, aiming to attract users searching for specific content. The document also contains a large number of links to external PDFs, many hosted on Shopify, which is characteristic of SEO link farms used to manipulate search engine rankings or distribute malicious content.

Heuristics 3

PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK

PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM

Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://ttraff.com/pify?keyword=download+anatomy+coloring+book+pdf
- http://files.aquacleanwi.com/uploads/1/3/2/3/132302944/162695.pdf
- http://files.evasound.co.uk/uploads/1/3/2/6/132695575/fubipixenumovenino.pdf
- http://files.royglobalized.net/uploads/1/3/0/8/130813095/ec1b16ee71.pdf
- https://cdn.shopify.com/s/files/1/0434/0006/9285/files/89891260522.pdf
- https://cdn.shopify.com/s/files/1/0433/5419/4070/files/hackerrank_interview_questions.pdf
- https://cdn.shopify.com/s/files/1/0430/0986/7929/files/vamuxis.pdf
- https://cdn.shopify.com/s/files/1/0440/2338/2174/files/27619147665.pdf
- https://cdn.shopify.com/s/files/1/0437/9613/6097/files/voxitijiradefarufuwokefo.pdf
- https://cdn.shopify.com/s/files/1/0430/0508/3811/files/malisis_doors_1._7_10.pdf
- https://cdn.shopify.com/s/files/1/0432/2436/7262/files/toxumevi.pdf
- https://cdn.shopify.com/s/files/1/0428/0093/9164/files/5707705117.pdf
- https://cdn.shopify.com/s/files/1/0433/3309/1480/files/zaputu.pdf
- https://cdn.shopify.com/s/files/1/0428/1332/5471/files/13072826145.pdf
- https://cdn.shopify.com/s/files/1/0428/3963/8179/files/61405519778.pdf
- https://cdn.shopify.com/s/files/1/0429/4243/1395/files/91255547921.pdf
- https://cdn.shopify.com/s/files/1/0432/7332/2664/files/vabemesejul.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 3

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off0000630e.bin` `2fde5bfd5b9a9f17186facb34d56d41070294253d708ef3422df185a34a73e65`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x630E	5364 bytes
`font_01_sfnt_off0000754c.bin` `868e52c94e6d9dec0418b390d57705e6b5f18b90fc610a6efbd509afc2b3bea7`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x754C	10104 bytes
`font_02_sfnt_off000097c5.bin` `9f355172d696dda274cac500966718f112ce76951f19577ac4888987ea6471b2`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x97C5	4324 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.