PDF malware analysis — malicious · d842a869012952cb

MALICIOUS

PDF

47.0 KB Created: 2020-08-29 21:55:25 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)

MD5: 734574aa77cb4c54dcafe1898febc059 SHA-1: 9c523ac3df6a2f39ff2265fbfd818730b2b32dc3 SHA-256: d842a869012952cbeb21c4cd66bb6c6a89644c4c9332b34a1a6b9615e09a8100

120 Risk Score

Malware Insights

MITRE ATT&CK

T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF file contains a large number of embedded links, many of which point to a redirector URL. The primary heuristic indicates that these links are intended to lead users to malicious infrastructure. The document body itself is heavily obfuscated and contains the malicious URL, suggesting a social engineering attempt to redirect the user.

Heuristics 3

PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK

PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM

Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://ttraff.cc/wix?keyword=els+determinants+esquema
- https://static.usrfiles.com/ugd/5ad03d_a79f9a85207c4f2189a48163d8d8db8f.pdf
- https://static.usrfiles.com/ugd/b8c837_d6247f754daa4a7dbd816da461b6224e.pdf
- https://static.usrfiles.com/ugd/b8c837_c1e2e3ef07f94482aa4b9e13d1ead4a3.pdf
- https://static.usrfiles.com/ugd/136d07_a6205b807cbf4f14a28ec058868abfa2.pdf
- https://static.usrfiles.com/ugd/6c98bc_709d7705a7e641ce8fdf20f009c33a6e.pdf
- https://cdn.shopify.com/s/files/1/0433/8266/9461/files/vehicle_information_by_chassis_number.pdf
- https://cdn.shopify.com/s/files/1/0440/2393/9237/files/numagivadozi.pdf
- https://cdn.shopify.com/s/files/1/0431/5391/6053/files/bord_and_pillar_mining_method.pdf
- https://cdn.shopify.com/s/files/1/0448/1178/0257/files/gamefowl_breeders_manual_and_cockers_guide.pdf
- https://cdn.shopify.com/s/files/1/0428/7086/6087/files/40259296582.pdf
- https://cdn.shopify.com/s/files/1/0435/0348/5092/files/24687796650.pdf
- https://cdn.shopify.com/s/files/1/0434/5764/2648/files/berlin_definition_ards.pdf
- https://cdn.shopify.com/s/files/1/0435/9513/7187/files/ingersoll_rand_ss5_owners_manual.pdf
- https://cdn.shopify.com/s/files/1/0433/3699/0885/files/29881495206.pdf
- https://cdn.shopify.com/s/files/1/0429/8424/3351/files/12593985332.pdf
- https://static.usrfiles.com/ugd/b8c837_51220ab7a3b94a4287df295a24eeeede.pdf
- https://static.usrfiles.com/ugd/b8c837_2f5f02556bc54717b8328048df782305.pdf
- https://static.usrfiles.com/ugd/b8c837_c8b5fbe519dd4d489f77557477427c74.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/
- https://static.usrfiles.com

Extracted artifacts 2

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off00007acc.bin` `f9ef8a472d37ea1708a813c87ee3de392274906fb05835fce891cb9bfb1b7d8b`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x7ACC	5052 bytes
`font_01_sfnt_off00008bd2.bin` `4c5831c6397fdf3f20375ae29ad01213011b1c853d15c27393d0f2d64d70ce22`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x8BD2	10296 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.