PDF malware analysis — malicious · bc448dbb1da55622

MALICIOUS

PDF

57.1 KB Created: 2020-09-02 05:45:10 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)

MD5: 788e871d952eb8c56e87d9c519c06f62 SHA-1: 9a85a7bc661703b56045ff307118e36257434470 SHA-256: bc448dbb1da5562215426d7ecbbf05a13a9a73f639b727028147d544358fba8a

120 Risk Score

Malware Insights

MITRE ATT&CK

T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF contains a mass of external links, many pointing to Shopify domains, but one critical link directs to a known malicious redirector. The document body, though heavily obfuscated, contains text related to 'Minecraft pe skins template' and the malicious URL, suggesting a lure to a scam or phishing site. The presence of numerous PDF links and a malicious redirector indicates a campaign focused on driving traffic to potentially harmful content.

Heuristics 3

PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK

PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM

Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://ttraff.club/wix?keyword=minecraft+pe+skins+template
- https://cdn.shopify.com/s/files/1/0431/5162/2306/files/57195041174.pdf
- https://cdn.shopify.com/s/files/1/0437/1054/6070/files/page_break_inside_mpdf_not_working.pdf
- https://cdn.shopify.com/s/files/1/0428/6555/7671/files/6555160890.pdf
- https://cdn.shopify.com/s/files/1/0454/7041/7046/files/573619270.pdf
- https://static.usrfiles.com/ugd/02af14_62f33405e15e432c93add9efd747d53c.pdf
- https://static.usrfiles.com/ugd/857e61_dbdb50c18fce4db8a632bb4d4a3512e5.pdf
- https://static.usrfiles.com/ugd/f9d4cd_13d06172065945388920bdb25cda872c.pdf
- https://static.usrfiles.com/ugd/5360f8_643799529d184c958f75310d432fb95c.pdf
- https://static.usrfiles.com/ugd/49be48_886f7333da2a42afbbba98ca6f86e2e5.pdf
- https://static.usrfiles.com/ugd/b8c837_64a5360b754243ffa1bec505528476f8.pdf
- https://static.usrfiles.com/ugd/b8c837_b77d207c14c04e569c7a4c6da3a3e7e2.pdf
- https://static.usrfiles.com/ugd/3eed2b_a0fea042aeb448be9c96220d2d647f37.pdf
- https://static.usrfiles.com/ugd/ea9bdf_755497d0ff2b446aa0359323579302bc.pdf
- https://static.usrfiles.com/ugd/41f880_c8ae3385a49a4e7b98b2f87b67782928.pdf
- https://static.usrfiles.com/ugd/9374a7_2f498feb22ca4edb89ba65985871e1bb.pdf
- https://static.usrfiles.com/ugd/0cd019_708e304311864b02840798cecc15edf5.pdf
- https://static.usrfiles.com/ugd/368de4_250182ea28e24deea56e9fe22a4ccd50.pdf
- https://static.usrfiles.com/ugd/911c12_f55f6272e7f2473da7ee8dad4c8ec61f.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off0000a169.bin` `3bab082a72765c5894bb625fa94c35e105f3b0cede74a94d014b4318f7c30385`	pdf-font-stream	PDF embedded font (sfnt) at offset 0xA169	5228 bytes
`font_01_sfnt_off0000b32e.bin` `d7fb1c3f2d739ee451dce3cb495d74a3a841b098aff4070577dd97859fe6d7c2`	pdf-font-stream	PDF embedded font (sfnt) at offset 0xB32E	10668 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.