PDF malware analysis — malicious · b63ede403d80b0af

MALICIOUS

PDF

51.8 KB Created: 2020-08-09 06:13:06 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)

MD5: 94075d50e093e45a27840deab17d5153 SHA-1: 1fc7220af7cfcdd07af88da7a2a90def1c733742 SHA-256: b63ede403d80b0afcaf563ae2045dfa1887ceb8254559a25b2fa81c6e11eb287

120 Risk Score

Malware Insights

MITRE ATT&CK

T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF file contains a large number of external links, many of which point to a known malicious redirector. The primary malicious link is https://ttraff.cc/pify?keyword=astm+b117+16+pdf, which is designed to redirect users to further malicious content. The document body is heavily obfuscated and contains metadata indicating it was generated by wkhtmltopdf, suggesting a programmatic approach to creating this link farm.

Heuristics 3

PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK

PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM

Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://ttraff.cc/pify?keyword=astm+b117+16+pdf
- http://files.633stclair.com/uploads/1/3/1/6/131606335/305c1.pdf
- http://files.acuedge.net/uploads/1/3/0/8/130874416/9663850.pdf
- http://files.laurajoart.com/uploads/1/3/1/4/131455832/zilitutekera_davikowuk_rukafefi_foponixu.pdf
- http://files.olenkaschoolofmusic.com/uploads/1/3/0/8/130814758/8408966.pdf
- http://sunigiga.shannonmcferrinfineartist.com/uploads/1/3/1/4/131406717/636389.pdf
- https://cdn.shopify.com/s/files/1/0440/6099/9830/files/53079753922.pdf
- https://cdn.shopify.com/s/files/1/0430/2965/9805/files/munson_fluid_mechanics.pdf
- https://cdn.shopify.com/s/files/1/0433/0507/4838/files/93817469839.pdf
- https://cdn.shopify.com/s/files/1/0428/9835/8432/files/51108684678.pdf
- https://cdn.shopify.com/s/files/1/0433/4691/9579/files/artisanal_mining_in_zimbabwe.pdf
- https://cdn.shopify.com/s/files/1/0431/9232/0161/files/29361558083.pdf
- https://cdn.shopify.com/s/files/1/0432/9019/8180/files/welopevosaretatunopevez.pdf
- https://cdn.shopify.com/s/files/1/0429/8748/7395/files/metamezagonirig.pdf
- https://cdn.shopify.com/s/files/1/0437/3171/4199/files/70396464133.pdf
- https://cdn.shopify.com/s/files/1/0433/9318/7989/files/67846517522.pdf
- https://cdn.shopify.com/s/files/1/0434/1664/9890/files/91503692931.pdf
- https://cdn.shopify.com/s/files/1/0432/9721/0532/files/54926541476.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 3

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off0000820a.bin` `0479f8e136fb152e2b26a8f5d0344bbb34065f507ec87bfa69dae4354fdaf78c`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x820A	3140 bytes
`font_01_sfnt_off00008d4f.bin` `d75ac3611f1fdcd09a8972879d93df9a6e284045220d8d9970a430154c9dc67d`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x8D4F	5264 bytes
`font_02_sfnt_off00009f35.bin` `8d92219c13c6b8e7cfbd8b2a46e16998a8d48f7f58dd9c03689390447e253fee`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x9F35	10244 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.