PDF malware analysis — malicious · f49440fe9947ff05

MALICIOUS

PDF

53.8 KB Created: 2020-08-30 19:54:57 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)

MD5: 5c371dfe9db2a75c856fddd6212e39de SHA-1: aa806109f5bbbc2abec1ac3a8273e5c47f390d19 SHA-256: f49440fe9947ff056ffc99da5d1c7acd3336b37dd5ed98391a27a444297d444d

120 Risk Score

Malware Insights

MITRE ATT&CK

T1566.002 Spearphishing Attachment T1059.001 PowerShell T1204.002 Malicious Link

The PDF file contains a heuristic firing for PDF_MALICIOUS_REDIRECTOR_LINK, indicating it points to a known malicious redirector. Additionally, PDF_SEO_LINK_FARM indicates a mass of external PDF links, suggesting a deceptive purpose. The primary malicious IOC is the redirector URL, which is likely used to funnel victims to a malicious site. No scripts were extracted, limiting the analysis of direct execution capabilities.

Heuristics 3

PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK

PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM

Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://ttraff.com/wix?keyword=appleblossom+the+possum
- https://static.usrfiles.com/ugd/3e9e83_1e037c880b9f4218ac1fcf5630ad07e5.pdf
- https://static.usrfiles.com/ugd/b8c837_408e0eff55044fd68ccb7aff459136fc.pdf
- https://static.usrfiles.com/ugd/c1108c_cb80de30f2ad4421b2bbc8b44d94c286.pdf
- https://static.usrfiles.com/ugd/b8c837_8f959a69199c4408965e1bfad6b4f0ca.pdf
- https://cdn.shopify.com/s/files/1/0462/9194/3584/files/67064246646.pdf
- https://cdn.shopify.com/s/files/1/0437/0232/1307/files/burnaby_north_calendar.pdf
- https://cdn.shopify.com/s/files/1/0448/4546/5762/files/verizion_wireless_rebate.pdf
- https://cdn.shopify.com/s/files/1/0437/5203/0357/files/7512264419.pdf
- https://cdn.shopify.com/s/files/1/0437/9947/8434/files/getegenavomawud.pdf
- https://cdn.shopify.com/s/files/1/0449/9701/7768/files/jetipurukaworo.pdf
- https://cdn.shopify.com/s/files/1/0431/1970/6279/files/asientos_de_ajuste_y_cierre.pdf
- https://cdn.shopify.com/s/files/1/0452/8783/3762/files/thinkpad_13_psref.pdf
- https://cdn.shopify.com/s/files/1/0431/0564/8801/files/gazejejubuporagowiniz.pdf
- https://static.usrfiles.com/ugd/10e3af_17c5cec35c2448c5996a9fd1e1934df9.pdf
- https://static.usrfiles.com/ugd/b8c837_834f1ea47de1430fbb9741efb9b80c99.pdf
- https://static.usrfiles.com/ugd/b8c837_4fafe1556de04878b0877aa3f90d2071.pdf
- https://static.usrfiles.com/ugd/b8c837_1fd0bdb4ea354122ab036d196f5a9c5b.pdf
- https://static.usrfiles.com/ugd/b8c837_796876de88fd40fba1d728efb3eaeb1d.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off0000976e.bin` `f6870d0aabb30df83d917702a032ff27db4418dda3aa146f265fed2d557380b1`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x976E	4884 bytes
`font_01_sfnt_off0000a7e0.bin` `2ccd21084696e170c4b62463e71a9d5682223d391cd0f174d63cdacf1ec48e7c`	pdf-font-stream	PDF embedded font (sfnt) at offset 0xA7E0	10040 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.