PDF malware analysis — malicious · f65415f42c69f1a8

MALICIOUS

PDF

41.2 KB Created: 2020-09-03 06:41:50 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)

MD5: 7443bdb9e502759d0597f1016bfae2f0 SHA-1: 1bab56876aeb86b8b4e23e4d84a2c80d1b7a3b8f SHA-256: f65415f42c69f1a8c4030b5061958d9f5c766ca9214d81543d1e1a392e2668e2

120 Risk Score

Malware Insights

MITRE ATT&CK

T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF file contains a heuristic firing for a malicious redirector link, specifically pointing to 'https://ttraff.link/wix?keyword=impact+test+experiment+lab+report'. Additionally, it exhibits characteristics of a PDF link farm, embedding numerous external links, with 'https://cdn.shopify.com/s/files/1/0439/2511/0952/files/gofibasakamudilobatobaba.pdf' being the first identified. The document body, though heavily obfuscated, contains text fragments suggesting a 'lab report' lure, intended to entice users to click the malicious link. No scripts were extracted, and the family is undetermined.

Heuristics 3

PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK

PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM

Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://ttraff.link/wix?keyword=impact+test+experiment+lab+report
- https://cdn.shopify.com/s/files/1/0439/2511/0952/files/gofibasakamudilobatobaba.pdf
- https://cdn.shopify.com/s/files/1/0437/3970/9589/files/natikadetakedoxafewivuse.pdf
- https://cdn.shopify.com/s/files/1/0430/7025/9357/files/delakopiwoleniximi.pdf
- https://cdn.shopify.com/s/files/1/0429/2182/0313/files/27329260670.pdf
- https://static.usrfiles.com/ugd/b8c837_b5d4a7022c8449feb37ebda458bdbc95.pdf
- https://static.usrfiles.com/ugd/45e30f_50971d46771045e28e5153386a8218be.pdf
- https://static.usrfiles.com/ugd/e2a635_0b772b984eef4c67bb6b94d78efd00cd.pdf
- https://cdn.shopify.com/s/files/1/0428/2603/9463/files/sbi_card_application_form_status.pdf
- https://cdn.shopify.com/s/files/1/0445/4694/9279/files/alimentos_para_diabeticos_tipo_2.pdf
- https://cdn.shopify.com/s/files/1/0436/6693/1865/files/69361870483.pdf
- https://static.usrfiles.com/ugd/affaa6_bb491d41f9084bba94fb5841e288d8e2.pdf
- https://static.usrfiles.com/ugd/b8c837_4f103243ff8346f791e0928d59f9e370.pdf
- https://static.usrfiles.com/ugd/fbcb80_af0ca2c15f504d84922a33698ac8f7ac.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/
- https://static.usrfiles.com/ugd/affaa6_bb491d4

Extracted artifacts 3

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off00005bc8.bin` `86bb471274ef0ec05a44f68b69b2ce27ec6999c7399282fc7e228c3caeeb11a3`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x5BC8	1840 bytes
`font_01_sfnt_off000064c5.bin` `a253da3b26008c721fe9d9bd1b74d5ac3703faa5bc4d920a0ffb215e5365b215`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x64C5	5224 bytes
`font_02_sfnt_off0000766c.bin` `2f909564b976db2c3b2a8720ebc5c558386ace6a5b06c3649e6e501d2748d9b9`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x766C	9796 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.