PDF malware analysis — malicious · bd799718f51a2d40

MALICIOUS

PDF

82.7 KB Created: 2020-08-01 03:30:01 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)

MD5: 0978e7a7af3624792f51043b6b00d195 SHA-1: c95552781a9328fa1c947a9e78fbae9a56d72c42 SHA-256: bd799718f51a2d4074b8ebc0ece20aa3af71ddcec27c207fd691902f454f959e

160 Risk Score

Malware Insights

MITRE ATT&CK

T1566.002 Spearphishing Attachment T1059.001 PowerShell T1204.001 Malicious Link

The PDF file contains multiple heuristics indicating malicious intent, including a link to a known malicious redirector and a link farm designed for SEO manipulation. The document body, though heavily obfuscated, contains text related to 'new year eve' and a URL that aligns with the redirector heuristic. The primary attack pattern appears to be an advance-fee scam, leveraging a lure of a prize or lottery to trick users into clicking a malicious link. The link `https://ttraff.ru/pify?keyword=new+year+eve+2015+houston` is identified as a malicious redirector.

Heuristics 4

PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK

PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM

Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
Advance-fee lottery/parcel scam lure high SE_ADVANCE_FEE_SCAM_LURE

Document contains lottery/beneficiary or prize language together with large-value draft/funds wording and parcel/courier delivery requirements. This is a classic advance-fee fraud document shape.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://ttraff.ru/pify?keyword=new+year+eve+2015+houston
- http://files.gregorystringfield.com/uploads/1/3/2/6/132681337/jupado_temul_sasatom_fovozan.pdf
- http://files.biglittlethingsfoundation.org/uploads/1/3/2/6/132683334/dufakop.pdf
- http://files.elationcommunityvoices.com/uploads/1/3/1/4/131408798/pexojar_ketoluxuxu.pdf
- https://cdn.shopify.com/s/files/1/0433/9970/8821/files/65943820611.pdf
- https://cdn.shopify.com/s/files/1/0429/0006/2367/files/50004395748.pdf
- https://cdn.shopify.com/s/files/1/0428/8059/8172/files/9718712721.pdf
- https://cdn.shopify.com/s/files/1/0440/1351/9006/files/how_to_clear_cache_on_macbook_pro.pdf
- https://cdn.shopify.com/s/files/1/0434/5793/7561/files/67201898843.pdf
- https://cdn.shopify.com/s/files/1/0429/5757/0207/files/vistaprint_business_cards.pdf
- https://cdn.shopify.com/s/files/1/0433/7513/2824/files/nurotaxonejixakifip.pdf
- https://cdn.shopify.com/s/files/1/0431/5129/4619/files/sodusamujupa.pdf
- https://cdn.shopify.com/s/files/1/0433/7221/6483/files/48070436294.pdf
- https://cdn.shopify.com/s/files/1/0437/9761/0657/files/nozosudawuwuretuxiseteg.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off00010698.bin` `39bff2d920b4c79a4158c608f63c05eb9bc5361b6fc2acc4bcb97c4a1258672a`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x10698	5412 bytes
`font_01_sfnt_off00011924.bin` `38dfd2bdbfa176cd64dd1f3953fb4491c3f5d977b5bcd1dab2872c52e33ba871`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x11924	10760 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.