PDF malware analysis — malicious · e21b1c8f346ec054

MALICIOUS

PDF

34.1 KB Created: 2020-09-17 13:29:55 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)

MD5: 73c04631483f94c52021136788a0a705 SHA-1: 630289fab14af519f6219b8a153f78a650762fa1 SHA-256: e21b1c8f346ec05447d11b3737d58d3d649629cf53003a013db54bafbcae62ca

120 Risk Score

Malware Insights

MITRE ATT&CK

T1566.002 Spearphishing Attachment T1204.001 Malicious Link T1059.001 PowerShell

The PDF contains a large number of embedded links, with the primary heuristic identifying a malicious redirector. The document body, though heavily obfuscated, contains URLs that are also listed in the extracted URLs. The presence of a malicious redirector and a link farm suggests the intent is to drive traffic to potentially malicious sites, possibly for SEO poisoning or to deliver further payloads.

Heuristics 3

PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK

PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM

Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://ttraff.me/wix?keyword=lighthouse+mission+inc+thrift+store+terre+haute+in
- http://files.sergiomauricio.ca/uploads/1/3/0/9/130969148/nerejip.pdf
- http://kibijor.homeworkclub.org/uploads/1/3/0/8/130813821/bedalifiwiruz.pdf
- http://gumosu.tomhalvorson2018.com/uploads/1/3/1/4/131408854/b96664d04c.pdf
- http://dowod.judithmbishop.net/uploads/1/3/0/7/130738531/zonivab-fopilurilag.pdf
- https://cdn.shopify.com/s/files/1/0431/3199/4280/files/31662905976.pdf
- https://cdn.shopify.com/s/files/1/0429/3348/5727/files/surirabaturiraxanon.pdf
- https://a23570a4-0bd3-4988-8101-279ed7626c40.filesusr.com/ugd/8d46c2_f13cfaa9178743a8a1a3067ec2df6abb.pdf?index=true
- https://ae4dc8ed-70ee-4f52-9ccd-e1a99368f918.filesusr.com/ugd/ff68bb_629720945649443ab0f619a0418bc2bf.pdf?index=true
- https://2a2a263d-dd56-4b9d-bdae-9e5d85b1f741.filesusr.com/ugd/46429b_2b3419d721764fb9bb1c531f670b3ee0.pdf?index=true
- https://4d767b05-9887-4c01-a656-fc8f1ee9c56f.filesusr.com/ugd/bfbc46_862a598434514983805e4d3c5bdfec9c.pdf?index=true
- https://62882103-2358-4211-825b-43f8a21b8da1.filesusr.com/ugd/bcc0e4_7b47d17fe72340688f2ebe552280ddb9.pdf?index=true
- https://281bc137-76c4-449e-8a2f-752ea8525ba5.filesusr.com/ugd/4e977a_3e750d2dac7b414ca7466887c10bb384.pdf?index=true
- https://978554e2-4afe-4329-9e8a-b00b73d57a3d.filesusr.com/ugd/54bec1_a5d0e7721733474a963616e7f33b60f8.pdf?index=true
- https://a08f2802-08bb-4e44-b47f-04f58248232d.filesusr.com/ugd/c88839_e7e6afe482794a49a81ef275e7ee6d64.pdf?index=true
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off000048da.bin` `04f120fa9a8e4589d0f90655e986e345b1bde3c5e1e461b78d9a5312707b9c20`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x48DA	5204 bytes
`font_01_sfnt_off00005a6d.bin` `75928aacd87eb5d768ae5175921267dc626c42ff8a7f8b9c77529bc5e1bdd242`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x5A6D	9636 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.