PDF malware analysis — malicious · e009e290e2156398

MALICIOUS

PDF

67.1 KB Created: 2020-08-31 03:01:40 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)

MD5: 714f4d7593446a59c28461c183765bc4 SHA-1: dea6b6570e30d235703a7a59dea96a0bf77a07c5 SHA-256: e009e290e21563987a0a0af4d30b08a7d4c71a39e22f7e9404e711e0452e9448

120 Risk Score

Malware Insights

MITRE ATT&CK

T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF file contains a mass of external links, with one specifically identified as a malicious redirector. The document body, though heavily obfuscated, contains text that appears to be a case reference ('Christopher v bare 1848 11 qb 473') which is likely used as a lure. The primary malicious IOC is the redirector URL, which is designed to lead the user to further malicious content.

Heuristics 3

PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK

PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM

Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://ttraff.me/wix?keyword=christopher+v+bare+1848+11+qb+473
- https://static.usrfiles.com/ugd/d43733_a9fe32c557304b2396281f02dcf0d948.pdf
- https://static.usrfiles.com/ugd/b8c837_6496ba0ea7e0410296fce502a7dc1e01.pdf
- https://static.usrfiles.com/ugd/21a131_1fb6b3991d544a2595193b84a8049eac.pdf
- https://static.usrfiles.com/ugd/f523c3_c86dcc2294be4700aa49068473267fa6.pdf
- https://static.usrfiles.com/ugd/003b86_152c6553644f490291fcfb45e0e8d196.pdf
- https://static.usrfiles.com/ugd/b8c837_9152adba514f4e8fa39da77a059d4bd7.pdf
- https://static.usrfiles.com/ugd/b8c837_e02fd5b81f1b4eb8909d192f86466ecc.pdf
- https://static.usrfiles.com/ugd/9a242c_907c42116ebf4ff6a1476df57f619b9f.pdf
- https://static.usrfiles.com/ugd/e7e4a0_b76d2d4a6cc74eaeb45f763ea14759e7.pdf
- https://static.usrfiles.com/ugd/b8c837_46f6a3b0ad8842e9a77841f0ba807c20.pdf
- https://static.usrfiles.com/ugd/2f3ac6_0357c100d71644c8919b2c5b6a423236.pdf
- https://static.usrfiles.com/ugd/b8c837_b684c3bbe04f4812baeb904e999776ef.pdf
- https://static.usrfiles.com/ugd/4b7290_f7363417a2da4b0ea961b873f3dfb040.pdf
- https://static.usrfiles.com/ugd/8ba634_8f16dfb77dab4f8b8d87a12ac3ae6785.pdf
- https://static.usrfiles.com/ugd/80bfa9_5189dcbaf1f34211be6cef136934829d.pdf
- https://static.usrfiles.com/ugd/7f16bd_a2232c2b1e3a44d9afbb2ab75a63c981.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 3

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off0000a416.bin` `340da16f7d0c9aa5bc2bd67c807a7dde978d9eb12829fda4f6ee3851ddd56d08`	pdf-font-stream	PDF embedded font (sfnt) at offset 0xA416	5684 bytes
`font_01_sfnt_off0000b785.bin` `17200d80d8a326ceae5beded83f6f5a95fa13b6bec068fb64d6550529e66e514`	pdf-font-stream	PDF embedded font (sfnt) at offset 0xB785	16812 bytes
`font_02_sfnt_off0000ea2d.bin` `2def80ee9cf871b89fa1821d83521187f92649b88f41053709a5a2c79b3e7c85`	pdf-font-stream	PDF embedded font (sfnt) at offset 0xEA2D	16132 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.