PDF malware analysis — malicious · f89adbad9adf4fd8

MALICIOUS

PDF

49.4 KB Created: 2020-08-28 22:38:12 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)

MD5: 839e0fca51499a724fc1ca6dbff0ed25 SHA-1: e145e19ee57eb399e3ffe3b5dffa318c3998186c SHA-256: f89adbad9adf4fd824c5585b25a400ec5b543e43de8bbfec7178518372bc0253

120 Risk Score

Malware Insights

MITRE ATT&CK

T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF file contains a heuristic firing for a malicious redirector link, pointing to 'https://ttraff.cc/wix?keyword=oraison+fun%25C3%25A8bre+p%25C3%25A9ricl%25C3%25A8s+commentaire'. Additionally, it exhibits characteristics of a PDF link farm, with numerous embedded URLs, including 'https://cdn.shopify.com/s/files/1/0427/7446/2631/files/gezoxemar.pdf'. The document body text, though partially corrupted, includes the title 'Oraison funèbre périclès commentaire', suggesting a lure to disguise the malicious intent. The primary attack pattern involves redirecting the user to a malicious site.

Heuristics 3

PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK

PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM

Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://ttraff.cc/wix?keyword=oraison+fun%25C3%25A8bre+p%25C3%25A9ricl%25C3%25A8s+commentaire
- https://cdn.shopify.com/s/files/1/0427/7446/2631/files/gezoxemar.pdf
- https://cdn.shopify.com/s/files/1/0433/6871/0294/files/xbox_360_controller_buttons_names.pdf
- https://cdn.shopify.com/s/files/1/0433/4324/9576/files/the_mckinsey_edge.pdf
- https://cdn.shopify.com/s/files/1/0430/4109/5834/files/mefitawubowifuvux.pdf
- https://cdn.shopify.com/s/files/1/0434/3264/0664/files/65479349361.pdf
- https://cdn.shopify.com/s/files/1/0427/7446/2631/files/zuvide.pdf
- https://static.usrfiles.com/ugd/b8c837_88832ff918c442568b08c5cada25cd28.pdf
- https://static.usrfiles.com/ugd/b8c837_c35bd179ac7a4036a742c1aa8f7f46b5.pdf
- https://static.usrfiles.com/ugd/b8c837_0b30166810744730a5fff6f5805142f8.pdf
- https://static.usrfiles.com/ugd/b8c837_811a76de6e2a46d895548fab17035b52.pdf
- https://cdn.shopify.com/s/files/1/0439/1898/3323/files/frontline_magazine_september_2020.pdf
- https://cdn.shopify.com/s/files/1/0427/7692/0220/files/usps_customs_form_2976.pdf
- https://cdn.shopify.com/s/files/1/0429/5111/4908/files/bio_data_format_for_marriage_in_marathi.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 3

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`stream_005_off000099b6.bin` `812e83f85eec9b1fb88e5da7c113ed4bfcfdfd98b9aa958e9cc9c8e9de7aa76d`	decompressed-pdf-stream	PDF FlateDecoded stream at offset 0x99B6	18404 bytes
`font_00_sfnt_off00006278.bin` `58c0903a01905e11592a64812efc0dc18f14b5b37288aed6168fb2150d05e5f8`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x6278	5612 bytes
`font_01_sfnt_off000074d4.bin` `06b5e37f0f3b4f02ebd7835105240e25ec684474ba57a758a09d736a083fa0ae`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x74D4	11712 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.