PDF malware analysis — malicious · d7822898b5b649a6

MALICIOUS

PDF

49.9 KB Created: 2020-09-02 03:39:45 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)

MD5: 96f4e9f278a2bd66a9730f2d4ca41dd1 SHA-1: 855aca9214fddc9d615a7180004630e86eff4d7d SHA-256: d7822898b5b649a66f3e2a4655733393ce8648e86c7aedb42a9d8b8b174dc4f9

128 Risk Score

Malware Insights

MITRE ATT&CK

T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF file contains a malicious redirector link disguised as a download for a "zombie shooter gun target hack mod apk". The document body and heuristics indicate a lure to download a file, likely malware, from the provided URL. The presence of a link farm suggests an attempt to distribute malicious content widely.

Heuristics 4

PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK

PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM

Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTON

Document contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://ttraff.me/wix?keyword=zombie+shooter+gun+target+hack+mod+apk
- https://cdn.shopify.com/s/files/1/0462/5619/3687/files/free_avast_driver_updater_key.pdf
- https://cdn.shopify.com/s/files/1/0433/1926/3397/files/define_coliform_bacteria_science_term.pdf
- https://cdn.shopify.com/s/files/1/0431/5506/2938/files/46130657664.pdf
- https://cdn.shopify.com/s/files/1/0433/1952/5531/files/vopifovujezofavu.pdf
- https://static.usrfiles.com/ugd/ee6770_7fa4613835f148d89c6e5081e3d12404.pdf
- https://static.usrfiles.com/ugd/b8c837_685c5de96c4c4fb7b9e312da8da0a627.pdf
- https://static.usrfiles.com/ugd/82e28d_f659a9e2c11c4863acfba4734ff526b2.pdf
- https://static.usrfiles.com/ugd/253000_2c018e5fc2ef4d40bae8d6e59d647017.pdf
- https://static.usrfiles.com/ugd/b910ae_4a576bbbec09435f8794a22add45c107.pdf
- https://static.usrfiles.com/ugd/88a84f_a74e994e6e864d88846eb31d49dfb3f2.pdf
- https://static.usrfiles.com/ugd/f84671_f001f95f4aeb4e76a49ba9d56f37a565.pdf
- https://cdn.shopify.com/s/files/1/0431/6980/8535/files/papubomebazibumi.pdf
- https://cdn.shopify.com/s/files/1/0433/0392/7973/files/fegezap.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 4

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off000062de.bin` `e211f2d6e0d1bf1fd17bd5150bc2724fb7c0f1d37b1c69b855d9dcad8de34ab0`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x62DE	2952 bytes
`font_01_sfnt_off00006d6c.bin` `bd54f9b5904867a07f64c987f76ad2c587621acf07e38c9e972da7ea43817204`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x6D6C	5616 bytes
`font_02_sfnt_off00008056.bin` `990fa2fd233d973cda757733d997b025cc73f9e09c0d51a4bf01f920813c8d12`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x8056	10880 bytes
`font_03_sfnt_off0000a575.bin` `e9fe716c2abc985b12a899a49d5539e4e8be1b56d50c083b30290d85a2a7c848`	pdf-font-stream	PDF embedded font (sfnt) at offset 0xA575	16092 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.