PDF malware analysis — malicious · bc1b488855c2484e

MALICIOUS

PDF

45.0 KB Created: 2020-08-25 20:59:17 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)

MD5: 7f72bd261a846f64c3f42684cde4f632 SHA-1: f0b7486d4df8629d2ea705b51bce2e0794079f9f SHA-256: bc1b488855c2484e44ae24754a30ab8c63a350ca3656e5fd365a76c2ae4108e7

120 Risk Score

Malware Insights

MITRE ATT&CK

T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF file contains a large number of embedded links, a technique often used in link farm attacks to manipulate search engine results or to hide malicious URLs among benign ones. One of the embedded links, 'https://ttraff.com/pify?keyword=a+new+lease+of+death+ruth+rendell+pdf', is identified as a known malicious redirector. The document body, though heavily obfuscated, also contains this URL, suggesting it is the primary lure. The presence of numerous benign Shopify links is likely a tactic to increase the perceived legitimacy of the document.

Heuristics 3

PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK

PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM

Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://ttraff.com/pify?keyword=a+new+lease+of+death+ruth+rendell+pdf
- http://guworo.magnoliatexasoutdoorliving.com/uploads/1/3/2/3/132303072/gufukikugekiguzoja.pdf
- http://files.shortstuffbulldogs.com/uploads/1/3/1/3/131398236/petoxupazetova-domixol-wapajowigeri-siwofajixube.pdf
- https://cdn.shopify.com/s/files/1/0457/3295/4278/files/gmail_for_android_4._2.pdf
- https://cdn.shopify.com/s/files/1/0432/0559/1200/files/6295084646.pdf
- https://cdn.shopify.com/s/files/1/0463/0803/2669/files/efundi_study_guides.pdf
- https://cdn.shopify.com/s/files/1/0464/9415/4904/files/chevrolet_cruze_2010_service_repair_manual.pdf
- https://cdn.shopify.com/s/files/1/0434/0046/2501/files/71390755243.pdf
- https://cdn.shopify.com/s/files/1/0438/2274/3712/files/ffxiv_act_kagerou.pdf
- https://cdn.shopify.com/s/files/1/0444/2229/9815/files/wayne_county_probate_court.pdf
- https://cdn.shopify.com/s/files/1/0429/4295/5676/files/1398871062.pdf
- https://cdn.shopify.com/s/files/1/0437/7087/1970/files/wifaladubovojavogom.pdf
- https://cdn.shopify.com/s/files/1/0432/2941/3544/files/domain_driven_design_php.pdf
- https://cdn.shopify.com/s/files/1/0428/6529/5526/files/5893574088.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 3

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off000064fb.bin` `7866c45b7ef440c27210d4b692769f777ae42e5e3d9f4ff88b5b4c1e3ffd9ddd`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x64FB	5044 bytes
`font_01_sfnt_off00007628.bin` `4d12001dba25f35725fcac8f5cba5783c90a071886dfbd7297f2d9e2e47c313c`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x7628	10208 bytes
`font_02_sfnt_off0000991a.bin` `05d2457133b820fa77aa358e30e9acfbad3f04c46ced9a37296d9311117db176`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x991A	4324 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.