PDF malware analysis — malicious · f0ba81dfa01c8a2b

MALICIOUS

PDF

42.4 KB Created: 2020-08-04 19:27:37 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)

MD5: 47f0ac6856f24a8beb4a5b6d1e979cb1 SHA-1: c4a7f3410a3e48420bffee5952e7bccb2fde0e01 SHA-256: f0ba81dfa01c8a2b280be9cd0aa162e57f448e3fbc0a3a39807c9598b745eb95

128 Risk Score

Malware Insights

MITRE ATT&CK

T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF contains a large number of embedded links, with one identified as a malicious redirector. The document body, though heavily obfuscated, contains the malicious URL and suggests a lure related to 'cavernomatosis portal pdf'. The presence of a malicious redirector indicates an attempt to lead the user to a harmful destination, likely for credential harvesting or malware delivery. No scripts were extracted from this sample.

Heuristics 4

PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK

PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM

Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
Urgency / deadline lure low SE_URGENCY_LURE

Document contains urgency or deadline language ('account will be terminated', 'action required within 24 hours', etc.) — useful context, but low-signal without other findings
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://ttraff.ru/pify?keyword=cavernomatosis+portal+pdf
- http://files.goodwin-niering.com/uploads/1/3/1/4/131409526/nuvoxupivabulul.pdf
- http://files.777worldwidebibleprophecy.com/uploads/1/3/1/6/131606467/digixana.pdf
- http://files.kytaonline.com/uploads/1/3/2/7/132710753/1230962.pdf
- http://files.sharonviewcorpcenter.com/uploads/1/3/2/7/132710765/0475cc.pdf
- https://cdn.shopify.com/s/files/1/0433/8260/3927/files/27206868099.pdf
- https://cdn.shopify.com/s/files/1/0428/1139/2167/files/risk_management_plan_example_for_business.pdf
- https://cdn.shopify.com/s/files/1/0428/9835/8432/files/50537202024.pdf
- https://cdn.shopify.com/s/files/1/0432/0378/8959/files/mercruiser_4._3_service_manual.pdf
- https://cdn.shopify.com/s/files/1/0428/4986/1791/files/27660202946.pdf
- https://cdn.shopify.com/s/files/1/0430/7661/6341/files/33625392120.pdf
- https://cdn.shopify.com/s/files/1/0429/3813/8783/files/ncert_biology_books_for_class_12.pdf
- https://cdn.shopify.com/s/files/1/0440/2960/8101/files/19691750831.pdf
- https://cdn.shopify.com/s/files/1/0432/0775/3888/files/71182377946.pdf
- https://cdn.shopify.com/s/files/1/0436/4405/9806/files/rujakurisumekesonuvuviw.pdf
- https://cdn.shopify.com/s/files/1/0432/6332/8411/files/97261863201.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off00006831.bin` `30a9174011f2e7844e9705793f1e02e248341595cfb75330b31c0e14e78738d8`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x6831	5152 bytes
`font_01_sfnt_off000079a9.bin` `ca79a7aeabb17e0b55e53d21ac7933f6d60ba55c018a8a2732c52ff6542e7b48`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x79A9	10372 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.