PDF malware analysis — malicious · ca1be845bfcfa4e0

MALICIOUS

PDF

46.6 KB Created: 2020-08-09 01:46:51 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)

MD5: 41791eef78bb855d41dda0c12ced33e6 SHA-1: a2961511b4f8eb6349c29edcf64ad43a84500727 SHA-256: ca1be845bfcfa4e0af39be1e5ff84508c88effae953133ac6d2130ccc48fdab4

120 Risk Score

Malware Insights

MITRE ATT&CK

T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF contains numerous embedded links, with one specifically pointing to a known malicious redirector. The document body, though heavily obfuscated, contains text that appears to be a lure related to 'rocket engines' and includes the malicious URL. The presence of a link farm heuristic further supports the malicious intent of directing users to external sites. No scripts were extracted from this sample.

Heuristics 3

PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK

PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM

Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://ttraff.ru/pify?keyword=design+of+liquid+fueled+rocket+engines+pdf
- http://files.kieranekeledo.com/uploads/1/3/0/7/130740211/mefoga_gogim_weveve_tefit.pdf
- http://files.juliaselectrolysis.com/uploads/1/3/2/7/132741136/sejenela.pdf
- http://tudama.chillingthemost.com/uploads/1/3/1/3/131383483/nujijojelakivur.pdf
- http://files.adventuresuntethered.com/uploads/1/3/2/7/132740633/fda838e6a882.pdf
- http://boxuketu.3fishproductions.com/uploads/1/3/1/3/131380042/5106321.pdf
- https://cdn.shopify.com/s/files/1/0428/9586/8067/files/59253198885.pdf
- https://cdn.shopify.com/s/files/1/0455/3559/2613/files/basic_technical_drawing.pdf
- https://cdn.shopify.com/s/files/1/0430/2353/2195/files/lief_erickson_lyrics.pdf
- https://cdn.shopify.com/s/files/1/0429/5933/9674/files/22086207742.pdf
- https://cdn.shopify.com/s/files/1/0431/3251/8555/files/newewesofajifuzonuf.pdf
- https://cdn.shopify.com/s/files/1/0428/4334/0956/files/36499161899.pdf
- https://cdn.shopify.com/s/files/1/0436/4192/9886/files/16961623172.pdf
- https://cdn.shopify.com/s/files/1/0434/7405/9430/files/kilipirar.pdf
- https://cdn.shopify.com/s/files/1/0430/1812/5465/files/marenejuta.pdf
- https://cdn.shopify.com/s/files/1/0450/5174/0310/files/discord_webhook_api.pdf
- https://cdn.shopify.com/s/files/1/0434/1058/7800/files/coleman_1850_generator_manual.pdf
- https://cdn.shopify.com/s/files/1/0431/1020/3556/files/tegerunov.pdf
- https://cdn.shopify.com/s/files/1/0436/1748/4957/files/durutepaso.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off00006ba3.bin` `f2d4db52a72c600bf341db17e00d9ba930081df8acff0b604d5b029d28c74a80`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x6BA3	5304 bytes
`font_01_sfnt_off00007dc3.bin` `14321da4347fa65a24c3fbced9e5b5122cf3a2f288f29316b16641bdf118fe92`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x7DC3	15460 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.