PDF malware analysis — malicious · f8ff09574c6150dc

MALICIOUS

PDF

87.4 KB Created: 2020-09-09 18:57:16 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)

MD5: c610d9f2e441db6601a0818241cd7ce9 SHA-1: 711be709997fe06455ebf2e6fbd252a551746142 SHA-256: f8ff09574c6150dc04055ea68720e5f4091d1d7ed18eb620ada587fc5a1e91a0

128 Risk Score

Malware Insights

MITRE ATT&CK

T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF contains a link that redirects to malicious infrastructure, disguised as a free tenancy agreement. The heuristic PDF_MALICIOUS_REDIRECTOR_LINK indicates the primary URL is part of a known malicious redirector chain. The SE_INVOICE_LURE heuristic suggests a common social engineering tactic. No scripts were extracted, but the embedded URL is the primary indicator of compromise.

Heuristics 4

PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK

PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM

Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
Fake invoice / payment lure low SE_INVOICE_LURE

Document contains invoice or payment language paired with an action verb — useful context when combined with link, macro, or attachment indicators
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://ttraff.ru/wix?keyword=free+assured+shorthold+tenancy+agreement+pdf
- https://cdn.shopify.com/s/files/1/0428/1024/5279/files/igcse_chemistry_atp_notes.pdf
- https://cdn.shopify.com/s/files/1/0439/1026/7035/files/roxutaxakunapibuzatavafo.pdf
- https://cdn.shopify.com/s/files/1/0435/5339/0743/files/accounting_audit_report_template.pdf
- https://static.usrfiles.com/ugd/defd8a_e256b221b79c44d7886b075161974d6e.pdf
- https://static.usrfiles.com/ugd/b50c55_11d7a1d52ed2457caade3089fc9a1637.pdf
- https://static.usrfiles.com/ugd/5b9365_5f705ec12f2d4301a2c10ccae9ed3541.pdf
- https://static.usrfiles.com/ugd/cfa91a_c8440fc079224588bb1604726d0855c7.pdf
- https://static.usrfiles.com/ugd/8ff694_4f70f4c010344a2f84b0a81aa62e898c.pdf
- https://static.usrfiles.com/ugd/510691_32243b6fcba245429d0049de80122f42.pdf
- https://cdn.shopify.com/s/files/1/0431/8016/3227/files/bob_seger_greatest_hits_2.pdf
- https://cdn.shopify.com/s/files/1/0428/0342/9535/files/16970802317.pdf
- https://cdn.shopify.com/s/files/1/0437/3161/5909/files/51327298901.pdf
- https://cdn.shopify.com/s/files/1/0462/7166/0189/files/symbiosis_distance_learning_project_report.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 3

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off00010d61.bin` `c9971f9d038cac2d9fe4a97c8d8e123c47fe3deb6fa46ed21a847f3d70c4f5ad`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x10D61	5460 bytes
`font_01_sfnt_off00011fd1.bin` `77aeb1b0dd63757129019e925d582158624e7401c64fa33f1cd0f3613e09e746`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x11FD1	10208 bytes
`font_02_sfnt_off000142a7.bin` `0d0f64e27578eb124b8bc81c7eceacdd166e22eddd95c81328e9fbd7de2a6333`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x142A7	4324 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.