PDF malware analysis — malicious · eb10a35d367fcf53

MALICIOUS

PDF

46.6 KB Created: 2020-08-31 19:44:18 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)

MD5: 7219a5dce6433c683097fb8a85756ec4 SHA-1: e209957130c4827958d8702c49a945f3e21e65ef SHA-256: eb10a35d367fcf53c4ea3afca2b1557b04e6e3ab4e30173198435e549504b400

120 Risk Score

Malware Insights

MITRE ATT&CK

T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF file contains a large number of embedded links, many of which point to a redirector service. The primary heuristic firing indicates that the document links to known malicious redirector infrastructure. The document body, though heavily obfuscated, contains text related to a 'project planner calendar template' and the malicious URL, suggesting a lure to entice users to click the link. The redirector URL is the highest priority IOC.

Heuristics 3

PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK

PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM

Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://ttraff.cc/pify?keyword=project+planner+calendar+template
- https://static.usrfiles.com/ugd/0b46e6_cae445901f5a4deaa980b7a8e2bd788f.pdf
- https://static.usrfiles.com/ugd/2b25e8_109f1f598547491cb790db37698d7d2f.pdf
- https://static.usrfiles.com/ugd/b8c837_48e37fcc113c452f908e00b5c7180b52.pdf
- https://static.usrfiles.com/ugd/6d59ab_6eedde132058431e9b21a0101d3a9f64.pdf
- https://static.usrfiles.com/ugd/bb13a2_e4dcf58a265e47018f51586fb97c84ff.pdf
- https://cdn.shopify.com/s/files/1/0430/1769/9477/files/dark_soul_coc.pdf
- https://cdn.shopify.com/s/files/1/0430/0885/2117/files/lejuxus.pdf
- https://cdn.shopify.com/s/files/1/0434/3182/1473/files/audit_committee_meeting_minutes_template.pdf
- https://cdn.shopify.com/s/files/1/0440/9245/7112/files/venoruzisifeganevas.pdf
- https://cdn.shopify.com/s/files/1/0432/6624/4764/files/16448121960.pdf
- https://cdn.shopify.com/s/files/1/0431/0951/5415/files/lezafufizuvofi.pdf
- https://cdn.shopify.com/s/files/1/0433/3345/1944/files/acestream_android_apk_cracked.pdf
- https://cdn.shopify.com/s/files/1/0427/5296/6812/files/91782401644.pdf
- https://cdn.shopify.com/s/files/1/0435/5309/5844/files/53108635407.pdf
- https://cdn.shopify.com/s/files/1/0428/9835/8432/files/xuxovozukirofavekejob.pdf
- https://cdn.shopify.com/s/files/1/0433/7962/2040/files/60480361069.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 3

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off00006dbf.bin` `df031bf7677b570747d261f70be10df8f495a04e49d495d9d951db51f99d9509`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x6DBF	4856 bytes
`font_01_sfnt_off00007e24.bin` `14f1fb9e6d02dd87df237d1dd5d2020e2a400c99f7c6b3f504e03d9f28602105`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x7E24	9644 bytes
`font_02_sfnt_off00009f34.bin` `9f355172d696dda274cac500966718f112ce76951f19577ac4888987ea6471b2`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x9F34	4324 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.