PDF malware analysis — malicious · be060552268521c0

MALICIOUS

PDF

42.6 KB Created: 2020-09-02 16:13:14 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)

MD5: 8488bef87627b60d476ea7064e5febea SHA-1: 5ea275c299817b28ba60901a05996fc5a25616e5 SHA-256: be060552268521c06b63216629fa78604ba33d7f0d52e16cb2df5315d2cbf309

120 Risk Score

Malware Insights

MITRE ATT&CK

T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF file contains a link that redirects to a known malicious domain, as indicated by the PDF_MALICIOUS_REDIRECTOR_LINK heuristic. The document body, though partially corrupted, contains text suggesting a lure related to editing spreadsheets in Google Drive, which is likely intended to trick the user into clicking the malicious link. The PDF also contains a large number of external links, characteristic of a link farm, further supporting a malicious intent to redirect users to potentially harmful sites.

Heuristics 3

PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK

PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM

Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://ttraff.me/wix?keyword=edit+spreadsheet+in+google+drive
- https://static.usrfiles.com/ugd/f99735_c41e56340a484b0d9064c0745dc33faa.pdf
- https://static.usrfiles.com/ugd/a3b54b_7a39268902af479c8d1cc181d9657714.pdf
- https://static.usrfiles.com/ugd/37321e_d55fd7010fd4477aa346311b99a94797.pdf
- https://static.usrfiles.com/ugd/b8c837_43c840659fd2480593c52aa8e440cea8.pdf
- https://static.usrfiles.com/ugd/909b15_0e54f5394c044adfbbf789b3018b1b2a.pdf
- https://static.usrfiles.com/ugd/3835dd_bf9f9493da3a4323b1ef85104302b70b.pdf
- https://static.usrfiles.com/ugd/99a8f2_ddc97525736049d08d36ac1304af683e.pdf
- https://static.usrfiles.com/ugd/8ade13_44c3e3c586bd42148470cb0334ee4745.pdf
- https://static.usrfiles.com/ugd/205ae4_ecec0d6f27704eb9b2adaf65203e5adc.pdf
- https://cdn.shopify.com/s/files/1/0439/4647/5675/files/my_heart_will_go_on_sheet_music_alto_sax.pdf
- https://cdn.shopify.com/s/files/1/0438/0655/6322/files/easotic_virbac_comprar.pdf
- https://cdn.shopify.com/s/files/1/0433/0687/7080/files/zonamanasalusowalu.pdf
- https://static.usrfiles.com/ugd/73cb9e_f024ccb6758b4ade8520acdb38945906.pdf
- https://static.usrfiles.com/ugd/d01287_bf2ca79de6f949f4a853ad94a2088295.pdf
- https://static.usrfiles.com/ugd/b8c837_464caf8764254d4f9b7d54c1c6813de3.pdf
- https://static.usrfiles.com/ugd/98857b_862526a9f21043bdb323171bf2aff447.pdf
- https://static.usrfiles.com/ugd/b8c837_bc759c359be643d1a5467d6609002bdf.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off000068aa.bin` `cd13e78a0277097d9f9a613072cf754f182f279d9f20e76e274101eddd7c9352`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x68AA	5236 bytes
`font_01_sfnt_off00007a7d.bin` `1aa3b6d300db17f9d663b4b5b95e595134f409d4d7fef10a55f806cdf777c32f`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x7A7D	10480 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.