PDF malware analysis — malicious · f953bfcf170be213

MALICIOUS

PDF

67.3 KB Created: 2020-08-30 05:16:54 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)

MD5: 4920f670758208af4e4ca61068ef649a SHA-1: d0b399f9edfa267ab9550287e99144a9a142c166 SHA-256: f953bfcf170be21335af4e47b05cbd86fbac4797afffb42908a4a4801e13f29e

120 Risk Score

Malware Insights

MITRE ATT&CK

T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF file contains a significant number of embedded links, with the primary heuristic identifying a malicious redirector. The document body, though heavily obfuscated, contains a URL that matches the malicious redirector identified by heuristics. This suggests the document's purpose is to lure users to malicious sites via a link farm. No scripts were extracted from this sample.

Heuristics 3

PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK

PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM

Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://ttraff.com/wix?keyword=kamen+rider+decade+card+agito
- https://cdn.shopify.com/s/files/1/0433/6399/1717/files/nowimedala.pdf
- https://cdn.shopify.com/s/files/1/0435/2016/3999/files/aliments_riches_en_fer.pdf
- https://cdn.shopify.com/s/files/1/0434/9113/1557/files/gifenukabujagawes.pdf
- https://cdn.shopify.com/s/files/1/0429/8643/8807/files/sc_acknowledgement_slip.pdf
- https://static.usrfiles.com/ugd/b8c837_02fdf7ef2b034ecda35f0a51f9c8da88.pdf
- https://static.usrfiles.com/ugd/b8c837_13cff52808c341408d9d2ff4f2ff97d2.pdf
- https://static.usrfiles.com/ugd/a1fb72_de15ae6a95ad4115aeaf5da307c3ba43.pdf
- https://static.usrfiles.com/ugd/e4a001_907d70b19e0143d1bcdca709c14eeab4.pdf
- https://static.usrfiles.com/ugd/93c935_b506269b2cf04530a07d7dcc0d63602e.pdf
- https://static.usrfiles.com/ugd/b8c837_3a13a7ec1bf847f49659d8af8eaf81ee.pdf
- https://static.usrfiles.com/ugd/b8c837_11d7e0a432bf4fbebf5515a8cdde996c.pdf
- https://static.usrfiles.com/ugd/b8c837_b469bbfbb92b47b990690137d1cb885f.pdf
- https://static.usrfiles.com/ugd/0adedf_787a364e9c064db79202edeef2a9d782.pdf
- https://static.usrfiles.com/ugd/b8c837_78332af507ad48bea4df53ee23f6d7e8.pdf
- https://static.usrfiles.com/ugd/b8c837_9a55c4dce9a14d7fb8f43818fd586b1a.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/
- https://cdn.shopify.com/s/files/1/0433/6399/1717/files/nowimedala

Extracted artifacts 3

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off00008ae2.bin` `701bfe0919e011ca57c5c77f2cdc90a37a042e144ce64b15a8a2ab9e2351ab2a`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x8AE2	16636 bytes
`font_01_sfnt_off0000bd50.bin` `d252fbd6bb9b721fe067e617c4f248bda98b2c3e707b934e921675fdd6a65b4b`	pdf-font-stream	PDF embedded font (sfnt) at offset 0xBD50	5020 bytes
`font_02_sfnt_off0000ce45.bin` `ac6d186068dc39ea7ae837f3d5955ae081a72c42495627db67bc099a9eec0b89`	pdf-font-stream	PDF embedded font (sfnt) at offset 0xCE45	15752 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.