PDF malware analysis — malicious · b6eb8623f02e10f0

MALICIOUS

PDF

44.3 KB Created: 2020-08-24 22:00:39 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)

MD5: 029c3cb1c6a7a309cb4c8283ae7c3919 SHA-1: aad9cf3c9e97d6ae832f27680387df387d31fcf6 SHA-256: b6eb8623f02e10f0fa5b44a19e5bacdda03360c225d4ace7bd23ed8f38dec62b

140 Risk Score

Malware Insights

MITRE ATT&CK

T1566.002 Spearphishing Attachment T1059.001 PowerShell T1204.002 Malicious Link

The PDF contains multiple embedded links, with one heuristic specifically identifying a malicious redirector. The document body, though heavily obfuscated, contains text related to 'apprenticeship manitoba work experience form' and a URL that is flagged as a malicious redirector. This suggests a phishing or scam attempt designed to trick users into visiting malicious sites. The presence of a link farm further supports the malicious intent.

Heuristics 4

PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK

PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM

Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
Callback phishing phone lure medium SE_CALLBACK_LURE

Document asks the user to call a phone number in billing, refund, subscription, fraud, or security context — consistent with callback phishing or tech-support scam patterns
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://ttraff.cc/pify?keyword=apprenticeship+manitoba+work+experience+form
- http://fafosope.practicaladvantagecomm.org/uploads/1/3/1/8/131871729/19af95bcb69.pdf
- https://cdn.shopify.com/s/files/1/0430/9801/3845/files/wofaziwakoxejenidipukiwet.pdf
- https://cdn.shopify.com/s/files/1/0437/2883/0625/files/dolamaviti.pdf
- https://cdn.shopify.com/s/files/1/0432/9455/6320/files/22025307218.pdf
- https://cdn.shopify.com/s/files/1/0427/7927/9527/files/rilijatu.pdf
- https://cdn.shopify.com/s/files/1/0436/9468/6376/files/lexical_analyzer_java.pdf
- https://cdn.shopify.com/s/files/1/0431/5476/8021/files/vurafukirenudi.pdf
- https://cdn.shopify.com/s/files/1/0430/4420/8797/files/27366745908.pdf
- https://cdn.shopify.com/s/files/1/0432/2535/0301/files/54654595929.pdf
- https://cdn.shopify.com/s/files/1/0433/6127/1959/files/building_control_ni_application_form.pdf
- https://cdn.shopify.com/s/files/1/0428/9835/8432/files/13908697451.pdf
- https://cdn.shopify.com/s/files/1/0429/7192/2591/files/73777683556.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 3

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off00005eeb.bin` `3036bc124aca19941a86230c72d2e3978130dc98e8c087755fdf8a99d3439f3f`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x5EEB	5364 bytes
`font_01_sfnt_off000070f2.bin` `23283b964f1a863ce345d1ed6422086c90b4f7a8f360957e5e49ff4e7b778168`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x70F2	10800 bytes
`font_02_sfnt_off000095d6.bin` `05d2457133b820fa77aa358e30e9acfbad3f04c46ced9a37296d9311117db176`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x95D6	4324 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.