PDF malware analysis — malicious · be3292299e1f4f64

MALICIOUS

PDF

52.2 KB Created: 2020-08-29 23:11:04 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)

MD5: 887cd28d75bb10565989c9cd79a7e76e SHA-1: af57cdb7b286091bfb5e254e62989b2398fbfd0c SHA-256: be3292299e1f4f64c95efe59e8e8ff8ec7289a903ce7086c26014c2fdcd85336

120 Risk Score

Malware Insights

MITRE ATT&CK

T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF file contains a heuristic firing for a malicious redirector link and a PDF link farm. The document body text, though heavily obfuscated, includes a URL that matches the redirector link found in the heuristics. This suggests the primary goal is to redirect the user to malicious content, likely for further exploitation or phishing.

Heuristics 3

PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK

PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM

Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://ttraff.com/wix?keyword=hamari+adhuri+kahani+full+movie+download+bolly4u
- https://static.usrfiles.com/ugd/b8c837_955a13aea1074fa1b367fd6c49cbe768.pdf
- https://static.usrfiles.com/ugd/b8c837_92488ebecacd42a48bb8969f0ff89d03.pdf
- https://static.usrfiles.com/ugd/b8c837_79498a9681a742d5ad474c77ba802910.pdf
- https://static.usrfiles.com/ugd/a382ee_f28e3598198c4e5fa4ee06d49067044c.pdf
- https://static.usrfiles.com/ugd/0d9a50_ba31b99e76cc4d19bcde02ee247355cf.pdf
- https://cdn.shopify.com/s/files/1/0431/2553/8970/files/83322471941.pdf
- https://cdn.shopify.com/s/files/1/0433/7565/7121/files/17269777854.pdf
- https://cdn.shopify.com/s/files/1/0434/7278/1477/files/upper_back_exercises_nhs.pdf
- https://cdn.shopify.com/s/files/1/0427/4854/3142/files/dolam.pdf
- https://static.usrfiles.com/ugd/5926b4_464265c8790941048975298f51981668.pdf
- https://static.usrfiles.com/ugd/b8c837_38b229dc1e31431aaf3ada771b33d3cc.pdf
- https://static.usrfiles.com/ugd/11f207_93921fb6bca4463bac061a286c0e1008.pdf
- https://static.usrfiles.com/ugd/b8c837_0df5ff7df7c4421ba383340a86a07218.pdf
- https://cdn.shopify.com/s/files/1/0430/3178/9721/files/scrum_master_certification_dumps_free.pdf
- https://cdn.shopify.com/s/files/1/0432/5172/8546/files/zasipumepilimer.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/
- https://static.usrfiles.com/ugd/11f207_93921fb6b

Extracted artifacts 4

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off000069c1.bin` `0d6f635f4d16b799b5667d6f601cc4d1e2e784e32bbc005609ea2e7bed54bab6`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x69C1	5276 bytes
`font_01_sfnt_off00007b95.bin` `d1d92e70aaae90db76fcd9b6500096eb04569a258f763f752be4097e2f238680`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x7B95	10580 bytes
`font_02_sfnt_off00009fdc.bin` `1854186ac67b24e88ad7693bf4a2f322bd0b294e3eddc8910b6c49537fdacf58`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x9FDC	16136 bytes
`font_03_sfnt_off0000b4dd.bin` `b50a2106bf82917db0cd3cf88f63c5e8cc3298b343ace5cffc591b35df33d24c`	pdf-font-stream	PDF embedded font (sfnt) at offset 0xB4DD	4324 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.