PDF malware analysis — malicious · e8afa2baded35c66

MALICIOUS

PDF

58.8 KB Created: 2020-07-23 16:31:05 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)

MD5: 4f09d76e0dbf2997eb0043d9cc02bc19 SHA-1: a29e3670966f9aeb34cef5bb8af0995e4fac959e SHA-256: e8afa2baded35c66d6fae2cd4dfc0b953eac1b6d2ce951949b2458c115b52b11

120 Risk Score

Malware Insights

MITRE ATT&CK

T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF file contains a significant number of embedded links, with the primary redirector URL pointing to a known malicious domain. The heuristic firings indicate this is a link farm designed to distribute malicious content. While no scripts were extracted, the structure suggests a delivery mechanism for further malicious activity.

Heuristics 3

PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK

PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM

Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://ttraff.ru/pify?keyword=game+banduk+game
- http://files.helleclan.com/uploads/1/3/0/7/130776073/juvenapafigobeware.pdf
- http://files.redemptionchurchchester.com/uploads/1/3/1/3/131379443/lalanode-xexakun.pdf
- http://files.triplecreekhunts.com/uploads/1/3/1/4/131453421/a3334fbb.pdf
- http://files.godard-christian.org/uploads/1/3/1/4/131453543/xipokasavole-jojutoguviso-sizopilelasirab.pdf
- http://files.sierpefrogs.com/uploads/1/3/2/7/132740239/5810723.pdf
- http://files.godard-christian.org/uploads/1/3/1/4/131453543/xipokasavole-jo
- https://cdn.shopify.com/s/files/1/0429/6844/9180/files/fageguzogatixotipabini.pdf
- https://cdn.shopify.com/s/files/1/0433/0687/7080/files/midotikonujeriruzopa.pdf
- https://cdn.shopify.com/s/files/1/0430/1294/8121/files/gujoti.pdf
- https://cdn.shopify.com/s/files/1/0429/7539/5993/files/lutevapitevujemelujonil.pdf
- https://cdn.shopify.com/s/files/1/0430/4109/5834/files/nupaniziluvege.pdf
- https://cdn.shopify.com/s/files/1/0436/6227/8809/files/20195876309.pdf
- https://cdn.shopify.com/s/files/1/0431/8891/2290/files/kajifovofixunuduxezogole.pdf
- https://cdn.shopify.com/s/files/1/0428/5209/0022/files/31716744888.pdf
- https://cdn.shopify.com/s/files/1/0432/3593/4370/files/purokig.pdf
- https://cdn.shopify.com/s/files/1/0429/2503/1587/files/53796396173.pdf
- https://cdn.shopify.com/s/files/1/0431/7573/9560/files/19988803288.pdf
- https://cdn.shopify.com/s/files/1/0429/8014/7359/files/nawemanomak.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 3

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`stream_007_off0000b811.bin` `174c6cd6e666aa3056191cbca7543b5f545564991365d41737836e8a6e6ed2b4`	decompressed-pdf-stream	PDF FlateDecoded stream at offset 0xB811	21124 bytes
`font_00_sfnt_off00007c52.bin` `7d9632737f9f1195c3557e077a0a42df1854880d49316a374736c95eef49211e`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x7C52	4720 bytes
`font_01_sfnt_off00008c3e.bin` `0ce69f7bc325fde4505dd5f63bd286007a7027d42f4369be9c70d80457c4f09c`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x8C3E	13968 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.