PDF malware analysis — malicious · e4e93c72643b4050

MALICIOUS

PDF

43.7 KB Created: 2020-09-01 21:55:09 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)

MD5: 4fec906ba7027f3b6f69ac57e2c60cf5 SHA-1: 7b413c6bdab29a49635ae9f44fac00b20177dd55 SHA-256: e4e93c72643b405038c3025d5321622e9f5407a7ee4802ee42e17b41f6a5cd05

140 Risk Score

Malware Insights

MITRE ATT&CK

T1566.002 Spearphishing Attachment T1204.002 User Execution: Malicious Link

The PDF contains a link farm and a specific malicious redirector URL, indicating an attempt to lure users to a harmful site. The document body, though garbled, contains text related to 'Bonnibel platform sandals' and the malicious URL, suggesting a product-lure phishing tactic. The heuristic firings confirm the presence of a malicious redirector and a link farm, further supporting the phishing attack pattern.

Heuristics 4

PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK

PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM

Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
Callback phishing phone lure medium SE_CALLBACK_LURE

Document asks the user to call a phone number in billing, refund, subscription, fraud, or security context — consistent with callback phishing or tech-support scam patterns
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://ttraff.cc/wix?keyword=bonnibel+platform+sandals
- https://static.usrfiles.com/ugd/b8c837_b110cfcaee064105be01a87234f9ce4e.pdf
- https://static.usrfiles.com/ugd/5a1791_1344e616897440e5826a67191c9dfd0b.pdf
- https://static.usrfiles.com/ugd/529ba0_09fb2c5c8c6344baa208b9158ca0c9a5.pdf
- https://static.usrfiles.com/ugd/269bb8_f61d2efe83ec4809a3b8156830fbd2dc.pdf
- https://static.usrfiles.com/ugd/5e81b9_866071e3e73147d6bc84b99647b65f36.pdf
- https://static.usrfiles.com/ugd/83e24f_d267fa36066845d0a032c38c2655bec1.pdf
- https://static.usrfiles.com/ugd/136d07_81840631a9aa4556b901e956c0225e95.pdf
- https://static.usrfiles.com/ugd/b8c837_16479d6eafdc437fa583bb2210179fda.pdf
- https://static.usrfiles.com/ugd/e2c6c1_2df1caf9254a4dbc92e8ea01504b2962.pdf
- https://static.usrfiles.com/ugd/b8c837_854c2fd46a664c888cd916e048a33000.pdf
- https://static.usrfiles.com/ugd/d54300_a5ad81f3a1114ec1a360839d48fecccb.pdf
- https://static.usrfiles.com/ugd/b8c837_6eab54b5549c4d19b017b33054ab9adc.pdf
- https://static.usrfiles.com/ugd/b8c837_477a9aa39b4845dcbe26f16521782329.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 3

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off000062d5.bin` `52b628761225dc07a9d1e3cd727e938505f7d73a614d7c4a4041bdfc61aac6a3`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x62D5	5376 bytes
`font_01_sfnt_off000074fc.bin` `779540f431ddc47f630270f5c14f2c5d47cdbf73a0c3b1cd397beef92b0fbe87`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x74FC	2372 bytes
`font_02_sfnt_off00007f80.bin` `ba1a4af391223678a53d98bef545197d477fbbaf1c3ce8a986581b1b1437717e`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x7F80	10136 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.