PDF malware analysis — malicious · e56771448efde229

MALICIOUS

PDF

47.2 KB Created: 2020-08-22 04:57:15 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)

MD5: 711573e696853c57c62ff263a48f81e6 SHA-1: 357630cc82aa95d83f2a778d5aea29a7a4cbe2dd SHA-256: e56771448efde2292156becf1f14a7a8b507afd282db6b1e72880f552b79dbfd

120 Risk Score

Malware Insights

MITRE ATT&CK

T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF contains a critical heuristic firing for a malicious redirector link, which is also present in the document body. The document body itself is heavily obfuscated but contains the URL and a plausible lure related to 'sac hsn code list in excel sheet'. The PDF also exhibits characteristics of a link farm, with numerous embedded links to external PDFs, many hosted on Shopify. The primary malicious URL is a redirector designed to lead users to further malicious content.

Heuristics 3

PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK

PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM

Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://ttraff.cc/pify?keyword=sac+hsn+code+list+in+excel+sheet
- http://files.westmorelandhillsgc.org/uploads/1/3/1/3/131380107/zimidadugevos.pdf
- http://ludixub.carolinechilds.com/uploads/1/3/0/9/130969742/9842388.pdf
- http://kumajojop.princegeorgecleaners.com/uploads/1/3/1/0/131071164/5929075.pdf
- https://cdn.shopify.com/s/files/1/0432/2187/6899/files/galalifedonomewulo.pdf
- https://cdn.shopify.com/s/files/1/0433/6631/8230/files/38293366131.pdf
- https://cdn.shopify.com/s/files/1/0427/5575/2103/files/zubub.pdf
- https://cdn.shopify.com/s/files/1/0440/1568/1701/files/biology_class_9_notes_download.pdf
- https://cdn.shopify.com/s/files/1/0434/5259/6374/files/17647560215.pdf
- https://cdn.shopify.com/s/files/1/0433/3345/1944/files/2011_gmc_acadia_reviews_consumer_reports.pdf
- https://cdn.shopify.com/s/files/1/0433/1434/8197/files/luliwafepapenasezugifutaf.pdf
- https://cdn.shopify.com/s/files/1/0430/8343/2096/files/tf2_brain_maggot.pdf
- https://cdn.shopify.com/s/files/1/0434/6737/4758/files/fresh_pomegranate_mask_sheet.pdf
- https://cdn.shopify.com/s/files/1/0431/5670/1346/files/88750244265.pdf
- https://cdn.shopify.com/s/files/1/0440/7764/5989/files/damatufulifidopiz.pdf
- https://cdn.shopify.com/s/files/1/0430/7809/0901/files/19575716492.pdf
- https://cdn.shopify.com/s/files/1/0434/0360/8214/files/26213558368.pdf
- https://cdn.shopify.com/s/files/1/0433/0687/7080/files/taselalodomojobuda.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off00007bf5.bin` `3089479f24ab47ca2df499888e4f7ceca12f832ae2b1e6338c7cd5cc2c6f8e86`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x7BF5	5100 bytes
`font_01_sfnt_off00008d38.bin` `912b58e000a979646d5aeaf6c33c4098b15612162d49ae89669ef12947bfaea3`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x8D38	10144 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.