PDF malware analysis — malicious · c5a62e3d753c7e4f

MALICIOUS

PDF

53.5 KB Created: 2020-08-10 12:02:57 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)

MD5: 491db22bbdc1e73c8343fcb33261c77d SHA-1: 42eba3f7fbfacd456a9b026be771d53c9bace2c7 SHA-256: c5a62e3d753c7e4f347f1736dd10d7fc2eb786d87b9754a0810dd7ecfd6e4849

120 Risk Score

Malware Insights

MITRE ATT&CK

T1566.002 Spearphishing Attachment T1204.002 Malicious File

This PDF document contains a large number of embedded links, identified as a link farm, designed to redirect users to external sites. The primary redirector URL is https://ttraff.cc/pify?keyword=arsene+lupin+pdf+english, which is flagged as malicious. The document's structure and embedded links suggest a social engineering tactic to drive traffic to malicious infrastructure.

Heuristics 3

PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK

PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM

Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://ttraff.cc/pify?keyword=arsene+lupin+pdf+english
- http://files.toastandeggsvt.com/uploads/1/3/2/6/132681384/1827528.pdf
- http://danufalo.thepitchthemovie.com/uploads/1/3/1/6/131606289/73927.pdf
- http://saragux.proautomations.net/uploads/1/3/2/6/132681352/wikoluz-jikaka-tenuka.pdf
- http://files.onyxbeautystudio.com/uploads/1/3/2/6/132681199/7234459.pdf
- https://cdn.shopify.com/s/files/1/0433/6274/6517/files/prueba_bioquimica_catalasa.pdf
- https://cdn.shopify.com/s/files/1/0432/5598/8387/files/49835234911.pdf
- https://cdn.shopify.com/s/files/1/0429/1887/1207/files/creative_writing_a_workbook_with_readings.pdf
- https://cdn.shopify.com/s/files/1/0439/3956/1630/files/tapevimibidisogekep.pdf
- https://cdn.shopify.com/s/files/1/0430/7812/3680/files/12623347725.pdf
- https://cdn.shopify.com/s/files/1/0433/0687/7080/files/razikeruranofe.pdf
- https://cdn.shopify.com/s/files/1/0427/5548/9948/files/1631492087.pdf
- https://cdn.shopify.com/s/files/1/0430/9843/9837/files/29361291479.pdf
- https://cdn.shopify.com/s/files/1/0431/3264/9636/files/70106498614.pdf
- https://cdn.shopify.com/s/files/1/0430/0334/7098/files/wosaxon.pdf
- https://cdn.shopify.com/s/files/1/0435/8111/2483/files/setiperogepo.pdf
- https://cdn.shopify.com/s/files/1/0431/2806/2109/files/runavunikupoviriwofavof.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 3

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off00008775.bin` `7fb2cb5fcb37534c1d78edadf0e67fba6bed14d0d031208c60a80bae319122dc`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x8775	4772 bytes
`font_01_sfnt_off00009792.bin` `f1675f5051bdf502fef9f06f885a57c8c649e275d2cac705455a317b9902625b`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x9792	10240 bytes
`font_02_sfnt_off0000baa3.bin` `ff5f0ef16caf3e97cd1984b3a03ea88e11eab8cf63d2ee006085a4b9995833f3`	pdf-font-stream	PDF embedded font (sfnt) at offset 0xBAA3	4324 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.