PDF malware analysis — malicious · ede0e9bca49d90c4

MALICIOUS

PDF

65.2 KB Created: 2020-08-12 13:23:40 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)

MD5: 52cef6387e36304d9088fcc5e46f0645 SHA-1: 14310f84f61f187acc79cb237de11f08528090f6 SHA-256: ede0e9bca49d90c4fc581edb4a387a5683bee68188ce29c8729a5681e325c94d

120 Risk Score

Malware Insights

MITRE ATT&CK

T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF contains numerous links, with a critical heuristic firing indicating it's a malicious redirector link farm. The primary malicious URL identified is https://ttraff.cc/pify?keyword=g7+communique+pdf, which is likely used to redirect the user to a malicious site. The document body, though heavily obfuscated, contains references to 'G7 communique pdf' and the wkhtmltopdf application, suggesting a lure to disguise malicious content. The presence of many external PDF links, including benign ones hosted on Shopify, is characteristic of SEO poisoning or link farm techniques to increase visibility and traffic to malicious destinations.

Heuristics 3

PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK

PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM

Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://ttraff.cc/pify?keyword=g7+communique+pdf
- http://files.drmanuelamenendez.com/uploads/1/3/0/7/130739028/763a043e06f7.pdf
- http://files.missionalworship.com/uploads/1/3/2/3/132302764/0aa1000e9.pdf
- http://files.worxforms.com/uploads/1/3/2/7/132740764/kakerugonames_jukufamepenib_fedabudifib_lomudigesupoda.pdf
- http://files.coastlinemetals.com/uploads/1/3/1/4/131407952/sanakixaxaburovitad.pdf
- http://files.koreanatoledo.com/uploads/1/3/0/9/130969037/0167074.pdf
- https://cdn.shopify.com/s/files/1/0452/4271/2221/files/administrao_estratgica_wright_kroll_e_parnell.pdf
- https://cdn.shopify.com/s/files/1/0429/6422/2101/files/c_udp_listener.pdf
- https://cdn.shopify.com/s/files/1/0431/7901/6360/files/32570795987.pdf
- https://cdn.shopify.com/s/files/1/0433/3685/9813/files/66869786434.pdf
- https://cdn.shopify.com/s/files/1/0435/0027/3830/files/6548919831.pdf
- https://cdn.shopify.com/s/files/1/0427/7505/2454/files/blender_boolean_addon.pdf
- https://cdn.shopify.com/s/files/1/0432/7571/4715/files/landslide_in_kerala.pdf
- https://cdn.shopify.com/s/files/1/0449/0782/3259/files/58380860701.pdf
- https://cdn.shopify.com/s/files/1/0429/2021/4681/files/voropufafu.pdf
- https://cdn.shopify.com/s/files/1/0439/3671/0824/files/alstom_logo.pdf
- https://cdn.shopify.com/s/files/1/0428/9835/8432/files/2283550224.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off0000c1ce.bin` `fd52326b4c700fbeb63498bfb628ba40aaa994735ef7232862b1fe9d2f35d7c7`	pdf-font-stream	PDF embedded font (sfnt) at offset 0xC1CE	5020 bytes
`font_01_sfnt_off0000d2e3.bin` `7d0a17fe3920819ac9c2000ee7fae3a3ac06ae62ffb27cec99586f7dedb9f325`	pdf-font-stream	PDF embedded font (sfnt) at offset 0xD2E3	11232 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.