PDF malware analysis — malicious · d7ab2d088556c13d

MALICIOUS

PDF

46.5 KB Created: 2020-09-04 19:25:19 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)

MD5: 87e5838752657da181dcb0e271bf9ceb SHA-1: df0c123ffa8661f28911e354094c115491bcac4a SHA-256: d7ab2d088556c13db5cb00e76c432da5735da3c338891c19fca9e3fde6d4277e

120 Risk Score

Malware Insights

MITRE ATT&CK

T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF contains embedded links that point to a known malicious redirector, which in turn leads to a URL containing 'valores+normales+de+glucemia+capilar+pdf'. This suggests a phishing or scam attempt disguised as a health-related document. The PDF also hosts a large number of external links, many hosted on Shopify, likely for SEO manipulation to increase visibility. No scripts were extracted, limiting the analysis of direct payload execution.

Heuristics 3

PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK

PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM

Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://ttraff.me/wix?keyword=valores+normales+de+glucemia+capilar+pdf
- https://cdn.shopify.com/s/files/1/0434/7727/0692/files/toxukofewewegezegib.pdf
- https://cdn.shopify.com/s/files/1/0432/9901/2763/files/befizaruregava.pdf
- https://cdn.shopify.com/s/files/1/0432/1722/3847/files/dajaxofamisifudapukor.pdf
- https://cdn.shopify.com/s/files/1/0440/2328/3862/files/15592257890.pdf
- https://cdn.shopify.com/s/files/1/0434/3696/6055/files/kitivoda.pdf
- https://cdn.shopify.com/s/files/1/0431/7233/1675/files/gexijunepu.pdf
- https://cdn.shopify.com/s/files/1/0437/6264/7192/files/75627170204.pdf
- https://static.usrfiles.com/ugd/b8c837_7fc9513cd8a3429c960734aaf5d32b0b.pdf
- https://static.usrfiles.com/ugd/6f58fb_fd1ed196711f4ffc9e8d183689381a2f.pdf
- https://static.usrfiles.com/ugd/b52961_e98f5cb7b2e341bc9ff06c279197a80e.pdf
- https://static.usrfiles.com/ugd/c1c462_53a702b1fdd24be78959e0531fc10c2d.pdf
- https://static.usrfiles.com/ugd/41a0b6_88530b3472554430bc6c494a05fd50a4.pdf
- https://cdn.shopify.com/s/files/1/0431/8570/1019/files/amide_formation_from_carboxylic_acid_and_amine.pdf
- https://cdn.shopify.com/s/files/1/0434/1317/6469/files/minecraft_skin_viewer_3d.pdf
- https://cdn.shopify.com/s/files/1/0428/9835/8432/files/58933331969.pdf
- https://cdn.shopify.com/s/files/1/0433/4102/1334/files/10579498560.pdf
- https://cdn.shopify.com/s/files/1/0428/3550/9415/files/wupunuxujibofa.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/
- https://static.usrfiles.com/ugd/b

Extracted artifacts 2

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off000070d3.bin` `b7af9d1f8e65331b63a088346c2b420bdc2e55e0c9b8d0348a9db25d197a4522`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x70D3	5440 bytes
`font_01_sfnt_off00008347.bin` `bb274f3fc5abf7f48f9394c8e39f0b1c3486f89d0f0f85555053525470dc647c`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x8347	12776 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.