PDF malware analysis — malicious · bddb80c607e9da31

MALICIOUS

PDF

49.8 KB Created: 2020-08-20 18:50:54 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)

MD5: e9673572022380fd41df5fdf812a2614 SHA-1: b144d6e99b3c77dbd61f4015a7880fabff23978c SHA-256: bddb80c607e9da313389ba7f8efc297f766a549bb2f90a7318a61fa3d7b14953

130 Risk Score

Malware Insights

MITRE ATT&CK

T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF contains embedded links, with one pointing to a known malicious redirector. The document body mentions 'iq option binary trading pdf', suggesting a financial scam lure. The presence of a link farm further indicates malicious intent, likely to drive traffic to malicious sites or to improve SEO for scam-related content. No scripts were extracted, but the PDF structure and embedded URLs are sufficient to infer a phishing or scam attempt.

Heuristics 4

PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK

PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM

Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
Fake invoice / payment lure low SE_INVOICE_LURE

Document contains invoice or payment language paired with an action verb — useful context when combined with link, macro, or attachment indicators
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://ttraff.ru/pify?keyword=iq+option+binary+trading+pdf
- http://files.number38spa.com/uploads/1/3/1/4/131453998/5539493.pdf
- http://saxepudet.john-weiss.net/uploads/1/3/1/1/131164250/lujubesasagalu.pdf
- http://pakuf.tanawanhandycraft.com/uploads/1/3/1/3/131383544/9272781.pdf
- https://cdn.shopify.com/s/files/1/0433/0687/7080/files/bipifapokuwegi.pdf
- https://cdn.shopify.com/s/files/1/0430/7494/5184/files/juxewutusobogixiz.pdf
- https://cdn.shopify.com/s/files/1/0434/9024/6822/files/ps3_latest_update.pdf
- https://cdn.shopify.com/s/files/1/0431/6410/6909/files/xubijuji.pdf
- https://cdn.shopify.com/s/files/1/0438/9994/5112/files/lizadabiluzejili.pdf
- https://cdn.shopify.com/s/files/1/0428/3331/3958/files/waperixudumepuzeju.pdf
- https://cdn.shopify.com/s/files/1/0436/7620/5209/files/77391457260.pdf
- https://cdn.shopify.com/s/files/1/0433/9784/1054/files/44602514466.pdf
- https://cdn.shopify.com/s/files/1/0437/4478/8634/files/71918197377.pdf
- https://cdn.shopify.com/s/files/1/0429/9754/7157/files/56657207410.pdf
- https://cdn.shopify.com/s/files/1/0433/8378/3575/files/9125501474.pdf
- https://cdn.shopify.com/s/files/1/0437/2588/1498/files/34300563487.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 3

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off000075df.bin` `66edfe0d6d0be0d621ab2b9d921b6dc0dbf2e2da2ba3580ca5e19cf59895d819`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x75DF	4976 bytes
`font_01_sfnt_off000086c0.bin` `219d615394c1cfd6f86d4c1d3e9b177f5b3d28dac173bb5a5a0ce6e32e9ca001`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x86C0	11056 bytes
`font_02_sfnt_off0000ac44.bin` `ff5f0ef16caf3e97cd1984b3a03ea88e11eab8cf63d2ee006085a4b9995833f3`	pdf-font-stream	PDF embedded font (sfnt) at offset 0xAC44	4324 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.