PDF malware analysis — malicious · edb25d5e57b6dc29

MALICIOUS

PDF

43.6 KB Created: 2020-08-11 06:54:51 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)

MD5: 6cc05970267733d3e3ffd504b4ea2814 SHA-1: a60e00d3da5ee756295e4f58ee550459db4a823d SHA-256: edb25d5e57b6dc29cfeaa21871c97708ac41d35817468818c854ecb1cb844346

120 Risk Score

Malware Insights

MITRE ATT&CK

T1566.002 Spearphishing Attachment T1059.001 PowerShell T1204.002 Malicious Link

The PDF contains numerous embedded links, with a critical heuristic firing for a malicious redirector at 'https://ttraff.com/pify?keyword=julius+caesar+english+translation+pdf'. The document body, though heavily obfuscated, contains text related to 'Julius Caesar' and the PDF's creation tool, suggesting a lure to disguise the malicious links. The presence of a link farm heuristic further indicates an attempt to distribute malicious content or phish users.

Heuristics 3

PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK

PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM

Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://ttraff.com/pify?keyword=julius+caesar+english+translation+pdf
- http://files.distantxtremes.com/uploads/1/3/1/8/131871569/jusolajipanune_zoriga_gawinafewe.pdf
- http://files.stnicholaselearning.ca/uploads/1/3/0/7/130738741/3632894.pdf
- http://files.butterflykisseslashlounge.ca/uploads/1/3/1/4/131437333/320d785baac.pdf
- http://files.puremsm.com/uploads/1/3/1/8/131871593/xelanoluw-reseletorivo-sijokufi.pdf
- https://cdn.shopify.com/s/files/1/0428/9835/8432/files/61259485886.pdf
- https://cdn.shopify.com/s/files/1/0434/4912/2983/files/exercice_orthographe_ce2.pdf
- https://cdn.shopify.com/s/files/1/0434/2897/0647/files/wemopuredufizosetoxor.pdf
- https://cdn.shopify.com/s/files/1/0431/7180/7391/files/50129239890.pdf
- https://cdn.shopify.com/s/files/1/0437/7837/5831/files/electronic_devices_by_floyd_6th_edition.pdf
- https://cdn.shopify.com/s/files/1/0434/2241/7046/files/93817967409.pdf
- https://cdn.shopify.com/s/files/1/0433/4547/7800/files/10194796922.pdf
- https://cdn.shopify.com/s/files/1/0432/5769/2320/files/panasonic_kx-_tga931t_manual.pdf
- https://cdn.shopify.com/s/files/1/0434/2910/1735/files/emco_storm_doors.pdf
- https://cdn.shopify.com/s/files/1/0433/7188/8803/files/69139209463.pdf
- https://cdn.shopify.com/s/files/1/0433/3545/0774/files/special_characters_on_keyboard.pdf
- https://cdn.shopify.com/s/files/1/0431/2514/5760/files/68464699058.pdf
- https://cdn.shopify.com/s/files/1/0431/4166/0826/files/html_color_codes.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off00006cbc.bin` `491ebc029b5cadac0188a61930c2b48f2e3d828b083afc6fc3c0f65e176ea2ac`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x6CBC	5408 bytes
`font_01_sfnt_off00007f0b.bin` `12248f23c410f2468f13c5d48eca4b6bc01bb1b1d6d5fe56f8670b397806b90c`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x7F0B	10144 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.