PDF malware analysis — malicious · db9c7ec24f625519

MALICIOUS

PDF

40.4 KB Created: 2020-08-11 15:58:33 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)

MD5: 565d93471390b3c0fcf434936e2ab14d SHA-1: 35c4424a5581d0209457bbf8a027c239f082cfe0 SHA-256: db9c7ec24f62551922e34686721afabdff3d38aebaca6e913f9393d81ba3d9e7

120 Risk Score

Malware Insights

MITRE ATT&CK

T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF file contains a critical heuristic firing indicating it's a malicious redirector link, pointing to 'https://ttraff.cc/pify?keyword=paramphistomum+cervi+pdf'. Additionally, another critical heuristic identified it as a PDF SEO link farm, containing numerous embedded links, with the first being 'https://cdn.shopify.com/s/files/1/0428/9835/8432/files/71061356311.pdf'. The document body contains obfuscated text and the malicious URL, suggesting a phishing or scam attempt.

Heuristics 3

PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK

PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM

Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://ttraff.cc/pify?keyword=paramphistomum+cervi+pdf
- http://files.surf-school-capbreton.com/uploads/1/3/1/4/131454766/sitegabunul.pdf
- http://files.countryriskscores.com/uploads/1/3/0/9/130969322/wefezaneze.pdf
- http://files.gunnersquillshedgehogs.com/uploads/1/3/0/9/130969809/23bae6018a.pdf
- http://files.classicalteachingtextbook.com/uploads/1/3/1/3/131383255/7907741.pdf
- https://cdn.shopify.com/s/files/1/0428/9835/8432/files/71061356311.pdf
- https://cdn.shopify.com/s/files/1/0436/2030/3006/files/mubodakasoxenudiponopop.pdf
- https://cdn.shopify.com/s/files/1/0428/8489/0790/files/jumoku.pdf
- https://cdn.shopify.com/s/files/1/0431/0319/1193/files/grade_7_maths_exam_papers.pdf
- https://cdn.shopify.com/s/files/1/0429/5704/5913/files/warunomovejaporemote.pdf
- https://cdn.shopify.com/s/files/1/0431/5817/5906/files/54941954782.pdf
- https://cdn.shopify.com/s/files/1/0431/8789/6488/files/nevavofozafajow.pdf
- https://cdn.shopify.com/s/files/1/0432/1479/9012/files/devemojenu.pdf
- https://cdn.shopify.com/s/files/1/0437/6349/9159/files/73462418255.pdf
- https://cdn.shopify.com/s/files/1/0433/0687/7080/files/29480145432.pdf
- https://cdn.shopify.com/s/files/1/0436/3167/3502/files/bundeslnder_wappen.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 3

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off00005591.bin` `610192ea2e31546744b93f91adfe1a863f21876a8bdbe2e739dfef410fb60450`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x5591	5424 bytes
`font_01_sfnt_off000067d8.bin` `eb903a4bcabb0673128613fc2c6a3b3be6b6be0204d11159aa2f590e1d82ee93`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x67D8	3740 bytes
`font_02_sfnt_off00007350.bin` `f65f1de8c1ef6afedfdc1ba3ca9f20bcb017a5e76e351c3a61a7c0d538235583`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x7350	9764 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.