PDF malware analysis — malicious · d396d012e3c7316c

MALICIOUS

PDF

196.6 KB Created: 2020-08-12 02:24:58 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)

MD5: e77b2d1b833f4b53f8cc7d7e666a9e59 SHA-1: 6d1f1ae375d23db248aaad88bb118e70789bd0a9 SHA-256: d396d012e3c7316ceb8c03b9e15e35b3ed0ee8bd7a615e063b385f516fb92730

70 Risk Score

Malware Insights

MITRE ATT&CK

T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF file contains a heuristic firing for a malicious redirector link pointing to 'https://ttraff.cc/pify?keyword=alan+watts+pdf'. The document body also contains urgency language, suggesting a lure to entice the user to click the malicious link. The presence of this link indicates an attempt to redirect the user to a potentially malicious site for phishing or malware distribution.

Heuristics 3

PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK

PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
Urgency / deadline lure low SE_URGENCY_LURE

Document contains urgency or deadline language ('account will be terminated', 'action required within 24 hours', etc.) — useful context, but low-signal without other findings
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://ttraff.cc/pify?keyword=alan+watts+pdf
- http://files.kentvalleyfsc.org/uploads/1/3/0/9/130969592/1003521.pdf
- http://zavumuzeg.steppingstonesplaycenter.com/uploads/1/3/1/3/131383965/e9997.pdf
- http://files.safebabyhappymommy.com/uploads/1/3/0/9/130969061/d1cb2b0.pdf
- http://saguzomav.mbgkacademy.com/uploads/1/3/1/4/131438888/2672380.pdf
- http://files.villaup.com/uploads/1/3/1/4/131483719/xibosenife-sejin-digagixaz.pdf
- https://cdn.shopify.com/s/files/1/0433/6818/6015/files/58112255571.pdf
- https://cdn.shopify.com/s/files/1/0437/6743/1320/files/nojumibekobetegi.pdf
- https://cdn.shopify.com/s/files/1/0437/2011/4327/files/59370178410.pdf
- https://cdn.shopify.com/s/files/1/0435/3949/7112/files/zoxima.pdf
- https://cdn.shopify.com/s/files/1/0431/6839/9524/files/nuxexopagilobolezivimega.pdf
- https://cdn.shopify.com/s/files/1/0437/5796/1374/files/8722612893.pdf
- https://cdn.shopify.com/s/files/1/0433/0687/7080/files/saran.pdf
- https://cdn.shopify.com/s/files/1/0429/7388/8671/files/zagujiginoseted.pdf
- https://cdn.shopify.com/s/files/1/0427/9074/8316/files/nubefaro.pdf
- https://cdn.shopify.com/s/files/1/0435/7623/0047/files/puditebamikisusisobaj.pdf
- https://cdn.shopify.com/s/files/1/0430/1769/9477/files/55378763690.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 4

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off00027edf.bin` `b73d6fb3590d5d30233f152db721aad0fa0f054216249d58ea32f6afee7ef840`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x27EDF	11184 bytes
`font_01_sfnt_off0002a34b.bin` `cb194efd976488a8c9dd428c3837f5fddd8ecebd4acb5f02c85b27b1f0654951`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x2A34B	5020 bytes
`font_02_sfnt_off0002b492.bin` `fdf62288a07414c01f36126d5c7e4d3b97d4eac7fe7eb8b257daaebf09a096f4`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x2B492	11380 bytes
`font_03_sfnt_off0002cd67.bin` `ec405f7330e9e7132da117e8d0475f6e221addd336658810c1ffdfec358af7d1`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x2CD67	18468 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.