PDF malware analysis — malicious · b5898319c723e3b7

MALICIOUS

PDF

49.7 KB Created: 2020-08-11 18:09:20 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)

MD5: b828c64e2f2f930c62cb8379088dc52f SHA-1: c8880ddf775151d2261a92de907e1e4ba104927b SHA-256: b5898319c723e3b77efd68ef182b94fa4ea6563e596b3c717061b9518a19517c

128 Risk Score

Malware Insights

MITRE ATT&CK

T1566.002 Spearphishing Attachment T1204.001 User Execution: Malicious Link T1059.001 Command and Scripting Interpreter: PowerShell

The PDF contains a critical heuristic firing for a malicious redirector link, which is also present in the document body. This link leads to a URL that is part of a link farm, suggesting a phishing or malware distribution attempt. The document also contains a visual download button lure, reinforcing the deceptive nature of the content. The primary malicious IOC is the redirector URL.

Heuristics 4

PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK

PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM

Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTON

Document contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://ttraff.ru/pify?keyword=edexcel+igcse+chemistry+textbook+answers+pdf
- http://files.devinesolutionsiowa.com/uploads/1/3/2/6/132681690/3299649.pdf
- http://files.northeastinsulation.com/uploads/1/3/0/7/130776483/takolofi_waludamas_fufebinusune_liborexu.pdf
- http://files.lifebizsoulutions.ca/uploads/1/3/1/3/131384573/7695240.pdf
- https://cdn.shopify.com/s/files/1/0434/6835/7796/files/fafijif.pdf
- https://cdn.shopify.com/s/files/1/0429/6799/0438/files/66873985266.pdf
- https://cdn.shopify.com/s/files/1/0431/3215/8116/files/tugupijujigemunirawib.pdf
- https://cdn.shopify.com/s/files/1/0434/4479/7605/files/cohen_tannoudji_quantum_mechanics.pdf
- https://cdn.shopify.com/s/files/1/0433/8365/2506/files/bijekagusam.pdf
- https://cdn.shopify.com/s/files/1/0428/1729/0407/files/85980966047.pdf
- https://cdn.shopify.com/s/files/1/0433/9138/5758/files/placa_ateromatosa.pdf
- https://cdn.shopify.com/s/files/1/0432/8167/8494/files/15167946583.pdf
- https://cdn.shopify.com/s/files/1/0435/6803/8049/files/96783129963.pdf
- https://cdn.shopify.com/s/files/1/0432/6601/5400/files/82358018645.pdf
- https://cdn.shopify.com/s/files/1/0429/5681/6540/files/solidworks_flow_simulation_tutorial.pdf
- https://cdn.shopify.com/s/files/1/0433/0664/7717/files/62480757581.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off00008182.bin` `4d6e5d6478bcc9678121d43d1e8c7550543ab4693e0a516f595ec352be62dc83`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x8182	5992 bytes
`font_01_sfnt_off000095d9.bin` `f17cfa89839e36e27a19e28ebe1b9f00f53c5d1c5f2490d8599269ec24f90878`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x95D9	10492 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.