PDF malware analysis — malicious · d0db831a19e5278e

MALICIOUS

PDF

38.5 KB Created: 2020-08-07 11:46:33 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)

MD5: 45c6296f1ca5b69968721702db81ff5c SHA-1: a430d8b82109055750f53c6d172c95ec0b2ca67b SHA-256: d0db831a19e5278eeab163d170f6d2c7224148fcb70c087a58e6ecd073b7c5a3

120 Risk Score

Malware Insights

MITRE ATT&CK

T1566.002 Spearphishing Attachment T1059.001 PowerShell T1204.002 Malicious Link

The PDF file contains multiple embedded links, with one specifically pointing to a known malicious redirector. The document body, though heavily obfuscated, contains text that appears to be a lure related to a 'bill of rights poster project pdf', further suggesting a phishing or redirection attempt. The presence of numerous external PDF links also indicates a link farm strategy, likely to improve search engine ranking for malicious content.

Heuristics 3

PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK

PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM

Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://ttraff.ru/wb?keyword=bill%20of%20rights%20poster%20project%20pdf
- http://jezuf.castillosclasses.com/uploads/1/3/0/8/130873995/22c910d25a.pdf
- http://files.mapced.org/uploads/1/3/0/7/130776131/giwokujedomuva.pdf
- http://files.asldeanpapalia.com/uploads/1/3/2/6/132681670/gixazeguz.pdf
- http://files.hunterdonchurch.org/uploads/1/3/0/8/130813108/vinedexagajivolem.pdf
- https://cdn.shopify.com/s/files/1/0430/0747/5875/files/figasanipeva.pdf
- https://cdn.shopify.com/s/files/1/0430/5911/8229/files/svu_theme_song.pdf
- https://cdn.shopify.com/s/files/1/0433/7077/4679/files/gita_chapter_12_sanskrit.pdf
- https://cdn.shopify.com/s/files/1/0427/9776/0668/files/jisemilisodepifumajajoge.pdf
- https://cdn.shopify.com/s/files/1/0432/1961/5904/files/cactus_patch_osrs.pdf
- https://cdn.shopify.com/s/files/1/0428/5192/6183/files/kubudem.pdf
- https://cdn.shopify.com/s/files/1/0438/0088/7457/files/importance_of_revenue_management_in_hotel_industry.pdf
- https://cdn.shopify.com/s/files/1/0432/0880/2468/files/xekuros.pdf
- https://cdn.shopify.com/s/files/1/0433/0687/7080/files/17612659915.pdf
- https://cdn.shopify.com/s/files/1/0452/8229/5969/files/bienestar_emocional_en_adultos_mayores.pdf
- https://cdn.shopify.com/s/files/1/0436/8780/5081/files/tyranids_8th_edition_codex.pdf
- https://cdn.shopify.com/s/files/1/0436/1574/8253/files/91504728878.pdf
- https://cdn.shopify.com/s/files/1/0435/2763/5096/files/12170741846.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off00005658.bin` `88b3de3d7e8dbaca395a166e59e6c5ab417eef592d015ded26748a2e1cedbc9c`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x5658	5332 bytes
`font_01_sfnt_off00006887.bin` `d8926a35d13feb021d2af3bef01469a28a560736cb7e3744e0701f886347fa2f`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x6887	10756 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.