PDF malware analysis — malicious · cf83da5284a0cab7

MALICIOUS

PDF

51.9 KB Created: 2020-09-18 07:47:41 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)

MD5: 00c4c3cd1ad4c00709628b6bd8306bb4 SHA-1: b86c476615bdfe13cf2eb7892b3e5245a3c260aa SHA-256: cf83da5284a0cab7fc0402de8566365ac6abd35efccda591092ae758e9285960

128 Risk Score

Malware Insights

MITRE ATT&CK

T1566.002 Spearphishing Attachment T1059.001 PowerShell T1204.002 Malicious Link

The PDF contains a prominent link that is identified as a malicious redirector, leading to a URL containing 'lightroom torrent free download'. This, combined with the heuristic identifying a link farm and a visual download button lure, strongly suggests a phishing or malware distribution attempt. The document body, though heavily obfuscated, contains the same lure URL. No scripts were extracted from this sample.

Heuristics 4

PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK

PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM

Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTON

Document contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://ttraff.me/wix?keyword=lightroom+torrent+free+download
- http://keraru.moagabrielsson.com/uploads/1/3/0/7/130738902/a8655.pdf
- http://files.warriorkings.org/uploads/1/3/2/7/132740182/jexakupotewumeje.pdf
- http://kumukuxe.rrmaids.com/uploads/1/3/1/3/131382700/8366830.pdf
- http://files.marissagagliano.com/uploads/1/3/1/6/131606373/rorafetebipuwovo.pdf
- http://kipux.collegedreamsconsulting.com/uploads/1/3/1/4/131406535/9eacbaffa643065.pdf
- https://b8ff5552-d99e-4b82-b465-c40334ae67b5.filesusr.com/ugd/41f880_9d484c5cccdf40c7be91036cc7e43b4e.pdf?index=true
- https://beaa4782-6203-4e3f-89ad-f4d3fbde7e6a.filesusr.com/ugd/98d33d_a6c1d0e2ac2149939565a621ca05c653.pdf?index=true
- https://a5cc74db-67c3-43a4-b632-9a5fb34b9abf.filesusr.com/ugd/144d27_284fa7dae83b4eeebd3e1203f050f26c.pdf?index=true
- https://c9abc0cd-d179-4c2b-9bb5-4bdc16e9dcdc.filesusr.com/ugd/8bf3fc_e1fd56a2d43e4c49acc8c4942b995184.pdf?index=true
- https://376faa40-2666-4877-874d-dfc3bfe7b510.filesusr.com/ugd/1da05d_686127cf3cdd4f1584f7700bb7e7f49a.pdf?index=true
- https://45d66f35-58f9-4302-9615-748f705e8f07.filesusr.com/ugd/3fd21f_e30b8d222f7942ada37a6c012fe6140e.pdf?index=true
- https://49c6af61-b264-46e1-8c7c-3c4b545efd35.filesusr.com/ugd/882da0_af4ce30829c0469993321056670535e6.pdf?index=true
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off00008ab6.bin` `203d59793493fc9ff708a1ccf5a5b3e223033e42954de150eb2fe1ec78d63015`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x8AB6	5176 bytes
`font_01_sfnt_off00009c3e.bin` `ef924c82e698654ba53ec3da1cc9ddc9c732f401061a312922dfaa29b0609e6e`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x9C3E	10756 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.