PDF malware analysis — malicious · c4e6508fc5a11de6

MALICIOUS

PDF

40.1 KB Created: 2020-08-07 10:12:45 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)

MD5: 58cf7424b5e367950126bdfeecb00a47 SHA-1: 81c7084b754bf1eedd41d19a811cc7cf6b6ab882 SHA-256: c4e6508fc5a11de68b978e83e85f22195456d1e460d7d481ed78bb2228d39b7d

120 Risk Score

Malware Insights

MITRE ATT&CK

T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF contains a large number of embedded links, many pointing to Shopify domains, but one critical link directs to a known malicious redirector. The document body, though heavily obfuscated, contains text related to sheet music and the malicious URL, suggesting a lure. The presence of numerous links, including the malicious redirector, indicates an attempt to drive traffic to potentially harmful content, likely for phishing or malware distribution.

Heuristics 3

PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK

PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM

Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://ttraff.ru/pify?keyword=like+a+bridge+over+troubled+water+sheet+music+pdf
- http://files.raymondbonterdesigner.ca/uploads/1/3/1/4/131453598/barolefuzufa.pdf
- http://files.benedictinemonksoftaos.org/uploads/1/3/1/4/131406269/pipodivusu.pdf
- http://files.retreatatprairiewind.com/uploads/1/3/1/3/131379118/lujos-fanarejabu-mudiva-lizogij.pdf
- http://letakas.monkeesconcerts.com/uploads/1/3/1/4/131407995/fixifezu.pdf
- http://bubepimid.gladwinharrisoncatholic.com/uploads/1/3/0/7/130740141/2372698.pdf
- https://cdn.shopify.com/s/files/1/0437/7765/4942/files/85609017488.pdf
- https://cdn.shopify.com/s/files/1/0433/4419/9848/files/minecraft_1._7._10_texture_packs.pdf
- https://cdn.shopify.com/s/files/1/0434/5852/7394/files/sirivagev.pdf
- https://cdn.shopify.com/s/files/1/0430/9244/3303/files/39650282585.pdf
- https://cdn.shopify.com/s/files/1/0437/7539/3944/files/jozolirafa.pdf
- https://cdn.shopify.com/s/files/1/0431/5689/7947/files/53862656802.pdf
- https://cdn.shopify.com/s/files/1/0429/2309/8279/files/plantera_bulb_farm.pdf
- https://cdn.shopify.com/s/files/1/0436/0224/7838/files/puvibilifolamogibuxagu.pdf
- https://cdn.shopify.com/s/files/1/0431/2658/7549/files/22800754246.pdf
- https://cdn.shopify.com/s/files/1/0437/9649/6544/files/94316493511.pdf
- https://cdn.shopify.com/s/files/1/0432/0120/0288/files/gorasewaparopagebe.pdf
- https://cdn.shopify.com/s/files/1/0432/0113/4747/files/36189669978.pdf
- https://cdn.shopify.com/s/files/1/0431/0066/8065/files/mezevagopidanarabowiraso.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off00004f7b.bin` `d22d29da5150c45326810f50f9bb0f3b754d11b93842c351190e17518581ba0b`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x4F7B	5864 bytes
`font_01_sfnt_off00006364.bin` `9e6faa2485b1d81e6155959907392839ada9f52bd2115a16a1be6a34f140ca10`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x6364	14432 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.