PDF malware analysis — malicious · c62d9717ef1a165e

MALICIOUS

PDF

48.9 KB Created: 2020-08-21 17:10:53 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)

MD5: de453890971add36d52b12b9d98d8539 SHA-1: 7ca3e502b2fe007098257fec0d7cd145d49eb8c7 SHA-256: c62d9717ef1a165e0c6c5a60efb7b6bf9c83b8fc65aaeb852da2e5265145c681

182 Risk Score

Malware Insights

MITRE ATT&CK

T1566.002 Spearphishing Attachment T1204.001 Malicious Link T1059.001 PowerShell

The PDF contains a link farm and a specific URL that redirects to malicious infrastructure, as indicated by the PDF_MALICIOUS_REDIRECTOR_LINK heuristic. The document body, though heavily obfuscated, contains text fragments and URLs that suggest a lure related to 'Charles proxy ssl android 7'. The SE_SECRET_RECOVERY_LURE heuristic further suggests the document's intent is to trick users into revealing sensitive information. The PDF_SEO_LINK_FARM heuristic indicates a large number of embedded links, likely for SEO poisoning or to distribute the malicious payload.

Heuristics 4

PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK

PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM

Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
Recovery secret / private key request critical SE_SECRET_RECOVERY_LURE

Document requests recovery phrases, private keys, backup codes, or saved passwords. Requests for these secrets in a document are high-risk.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://ttraff.cc/pify?keyword=charles+proxy+ssl+android+7
- http://fimunad.ocdlondon.com/uploads/1/3/0/9/130969352/dadizo.pdf
- http://files.kateadkinstherapy.com/uploads/1/3/1/8/131857818/f5f06.pdf
- http://files.roselapiere.com/uploads/1/3/1/8/131858044/xidijajofakir.pdf
- http://android-developers.blo
- https://cdn.shopify.com/s/files/1/0429/8499/7025/files/43846808132.pdf
- https://cdn.shopify.com/s/files/1/0430/9975/0560/files/akbar_birbal_stories_in_english_with_pictures_download.pdf
- https://cdn.shopify.com/s/files/1/0432/1778/0896/files/25779518455.pdf
- https://cdn.shopify.com/s/files/1/0432/7358/4793/files/fall_out_boys_immortals_mp3.pdf
- https://cdn.shopify.com/s/files/1/0433/9548/1750/files/segupeperazovubovoliluv.pdf
- https://cdn.shopify.com/s/files/1/0450/4177/8838/files/principles_of_operations_management_8th_edition.pdf
- https://cdn.shopify.com/s/files/1/0431/3081/4626/files/regulation_of_beta_oxidation.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 3

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off00006ad3.bin` `ad6df6181c8a7ba9df87f7c578aae9715ac013158f303082d8c145033ac29e6c`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x6AD3	5200 bytes
`font_01_sfnt_off00007c88.bin` `137f38bd27129f8fa39bfa0626dfbbb6073d9efa2615a49f39e36e9d88103031`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x7C88	11036 bytes
`font_02_sfnt_off0000a20d.bin` `d781c508aaf473e50263a6aabc3f4161b7fa10724c54bb8d35addee38a7f1c44`	pdf-font-stream	PDF embedded font (sfnt) at offset 0xA20D	16164 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.