PDF malware analysis — malicious · da561e52fee8e4a4

MALICIOUS

PDF

46.3 KB Created: 2020-07-26 19:24:16 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)

MD5: 6af5170a3db59283b40cc9b4803888cd SHA-1: 62a39c999b9f36714e26b13d66e4e552106a5a65 SHA-256: da561e52fee8e4a4d13f9748a9fa28c8920b938bd98bc78c093a1a21457dd702

120 Risk Score

Malware Insights

MITRE ATT&CK

T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF file contains a link farm designed to redirect users to malicious infrastructure, disguised as a wallpaper download. The heuristic PDF_MALICIOUS_REDIRECTOR_LINK indicates a direct link to a known malicious redirector, while PDF_SEO_LINK_FARM highlights the technique of using numerous links to obscure the malicious intent. The document body, though heavily obfuscated, contains keywords related to 'wallpaper' and the authoring application, suggesting a lure.

Heuristics 3

PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK

PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM

Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://ttraff.ru/pify?keyword=bhagat+singh+wallpaper++free
- http://files.lambersfisher.com/uploads/1/3/0/9/130969632/8860172.pdf
- http://files.vitaemovimento.com/uploads/1/3/0/7/130775231/7708622.pdf
- http://files.summitcprtraining.com/uploads/1/3/2/7/132712603/1664545.pdf
- https://cdn.shopify.com/s/files/1/0428/9835/8432/files/94662163826.pdf
- https://cdn.shopify.com/s/files/1/0428/3557/4943/files/75328670504.pdf
- https://cdn.shopify.com/s/files/1/0429/8221/1735/files/vajedosadirerazodode.pdf
- https://cdn.shopify.com/s/files/1/0431/0397/7634/files/9439409098.pdf
- https://cdn.shopify.com/s/files/1/0437/7886/7354/files/wonum.pdf
- https://cdn.shopify.com/s/files/1/0435/2026/2308/files/vamezatoxe.pdf
- https://cdn.shopify.com/s/files/1/0428/5697/2455/files/jadarexodomigexalajew.pdf
- https://cdn.shopify.com/s/files/1/0431/8006/4936/files/vukojonejoworotixot.pdf
- https://cdn.shopify.com/s/files/1/0428/9835/8432/files/xuxovozukirofavekejob.pdf
- https://cdn.shopify.com/s/files/1/0432/0083/9841/files/58923898338.pdf
- https://cdn.shopify.com/s/files/1/0432/7315/8806/files/61877237876.pdf
- https://cdn.shopify.com/s/files/1/0429/2008/3612/files/72578804957.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/
- https://cdn.shopify.com/s/files

Extracted artifacts 3

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off0000701e.bin` `572e00ba74f927beb85bc5b9470144a9e5df1df9a2156f6a30fc65a5bfb6ec0c`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x701E	4984 bytes
`font_01_sfnt_off0000810a.bin` `8a7fef30536efc43730865987e3b75d47a259a08003b22921e980fc4baa691d2`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x810A	1728 bytes
`font_02_sfnt_off000089a4.bin` `95775f16d706daa19ce256cca6ae8701b73b72cb41cf3ebc9fe64780ab5ed065`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x89A4	9984 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.