PDF malware analysis — malicious · c58214c66c543aeb

MALICIOUS

PDF

58.0 KB Created: 2020-08-31 09:48:02 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)

MD5: 61c4b6a48c547aa3d7e212a40c35175e SHA-1: dd2227342f9bfd1c08de38faa046e0c1449ed072 SHA-256: c58214c66c543aeb3347f23beb0b774a303378343581b8fc505935469e2e435a

120 Risk Score

Malware Insights

MITRE ATT&CK

T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF file contains a mass of external links, with one prominent link pointing to a known malicious redirector. The document body, though heavily obfuscated, contains the URL that triggers the heuristic. This suggests a phishing or redirection attack aimed at leading the user to malicious infrastructure.

Heuristics 3

PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK

PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM

Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://ttraff.cc/wix?keyword=significado+etimologico+de+endocardi
- https://cdn.shopify.com/s/files/1/0430/6151/0293/files/30494068066.pdf
- https://cdn.shopify.com/s/files/1/0437/6113/9861/files/bapomefejapunameviwodamed.pdf
- https://cdn.shopify.com/s/files/1/0436/1689/5133/files/capture_one_pro_11.pdf
- https://cdn.shopify.com/s/files/1/0438/9902/7611/files/vujikefaximanivimopuril.pdf
- https://cdn.shopify.com/s/files/1/0437/0386/1416/files/wikubotizagolijivinu.pdf
- https://cdn.shopify.com/s/files/1/0430/3123/2666/files/30569128797.pdf
- https://cdn.shopify.com/s/files/1/0429/2476/9436/files/66458034053.pdf
- https://cdn.shopify.com/s/files/1/0428/3056/1436/files/26014875563.pdf
- https://cdn.shopify.com/s/files/1/0428/2341/8019/files/sutepole.pdf
- https://cdn.shopify.com/s/files/1/0434/5102/3526/files/pixaxegosurupuzuna.pdf
- https://cdn.shopify.com/s/files/1/0433/0687/7080/files/4274895189.pdf
- https://cdn.shopify.com/s/files/1/0432/3393/5519/files/32341477853.pdf
- https://static.usrfiles.com/ugd/52b593_4b6230f80a994773a8d3816ff9d80a83.pdf
- https://static.usrfiles.com/ugd/79e0dc_6bf2c8d7eed44b4bbc49755d6379aabf.pdf
- https://static.usrfiles.com/ugd/b8c837_ad908162b8fe44ed80bf2d3668d8be69.pdf
- https://static.usrfiles.com/ugd/b8c837_5f7122a0f76846b5979b588cb5287a24.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 4

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off00008003.bin` `05a03a5e5ac1aa57b5c117bb3e5d2202d947c64ab2d4f2545c4f7cf5085974df`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x8003	5056 bytes
`font_01_sfnt_off0000910a.bin` `9176fae04f22fbabd0f913f437d9686dea3bc9a0918376cc633312b568b64f2f`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x910A	11092 bytes
`font_02_sfnt_off0000b562.bin` `7427c6bc67859b578149a261544bb1535a5c5cc5499c5bcf465df30433ecb59a`	pdf-font-stream	PDF embedded font (sfnt) at offset 0xB562	16200 bytes
`font_03_sfnt_off0000cab6.bin` `9f355172d696dda274cac500966718f112ce76951f19577ac4888987ea6471b2`	pdf-font-stream	PDF embedded font (sfnt) at offset 0xCAB6	4324 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.