PDF malware analysis — malicious · c19ac1b96af442ba

MALICIOUS

PDF

47.4 KB Created: 2020-08-24 17:02:25 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)

MD5: 0deaa6aed9d0d3d8c09d2ca5e59d62cb SHA-1: 6c375bd61fc21586ace9fbc6ab2a274410dc9a17 SHA-256: c19ac1b96af442ba9113dc22dac48135e7bb4c2b62e083f0ccc91bb7e1459444

128 Risk Score

Malware Insights

MITRE ATT&CK

T1566.002 Spearphishing Attachment T1059.001 PowerShell T1204.002 Malicious Link

The PDF document contains a lure, presenting itself as a proforma invoice to encourage user interaction. It embeds a mass of external links, with one critical link identified as a malicious redirector: https://ttraff.cc/pify?keyword=vertex42+proforma+invoice. This redirector likely leads to a malicious payload or phishing page. The document's structure and link farm indicate a delivery mechanism for further compromise.

Heuristics 4

PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK

PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM

Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
Fake invoice / payment lure low SE_INVOICE_LURE

Document contains invoice or payment language paired with an action verb — useful context when combined with link, macro, or attachment indicators
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://ttraff.cc/pify?keyword=vertex42+proforma+invoice
- http://files.tucsonmetaphysicsfair.com/uploads/1/3/1/4/131414743/1608220.pdf
- http://visagug.escalation.com.au/uploads/1/3/1/8/131858530/radomopagevu_dinusegapule_vuvebeg.pdf
- http://files.snugpubcocoavillage.com/uploads/1/3/1/4/131438761/siseme.pdf
- https://cdn.shopify.com/s/files/1/0430/3529/5905/files/it_asset_inventory_template_xls.pdf
- https://cdn.shopify.com/s/files/1/0435/5080/2081/files/97340306261.pdf
- https://cdn.shopify.com/s/files/1/0436/4953/2069/files/30160892555.pdf
- https://cdn.shopify.com/s/files/1/0437/3417/1800/files/15480213266.pdf
- https://cdn.shopify.com/s/files/1/0437/8561/7570/files/alexandria_egypt_map.pdf
- https://cdn.shopify.com/s/files/1/0433/6533/5190/files/19619621928.pdf
- https://cdn.shopify.com/s/files/1/0462/7827/9317/files/36585458712.pdf
- https://cdn.shopify.com/s/files/1/0433/0058/5625/files/eevee_evolution_guide_pokemon_moon.pdf
- https://cdn.shopify.com/s/files/1/0461/7266/8057/files/pentatonix_dancing_on_my_own_sheet_music.pdf
- https://cdn.shopify.com/s/files/1/0436/8557/6857/files/enchanting_leveling_guide_vanilla.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 3

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off0000713e.bin` `4aba2bb845853324476be69e5ed1bf4ff35002942389efac2b843cac1129f0e9`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x713E	2828 bytes
`font_01_sfnt_off00007b39.bin` `1bc1df2a887ba9a201d110a3447d38d986063f561d8a91c7fd524482d8bda1e5`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x7B39	5264 bytes
`font_02_sfnt_off00008d20.bin` `5c2c5110c26c9757e2238cf716a5897e2ca50741b1b0ba3ef3f4af999cfd138d`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x8D20	9888 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.