PDF malware analysis — malicious · fc201f0a5fb09c8c

MALICIOUS

PDF

40.6 KB Created: 2020-07-31 18:15:40 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)

MD5: beac7b09f0c9d3ec6f279855ba8b4406 SHA-1: 7125e684fbf8e5e7cfb99b0387e23b26fad90ee5 SHA-256: fc201f0a5fb09c8c31b76fe49b058d60119d281324e4d6a98a1cd881580d1aea

140 Risk Score

Malware Insights

MITRE ATT&CK

T1566.002 Phishing: Spearphishing Link T1204.001 Malicious Link/URL

The PDF contains embedded links that redirect to malicious infrastructure, specifically identified by the PDF_MALICIOUS_REDIRECTOR_LINK heuristic. The document body, though partially corrupted, contains text related to 'how to reset google wifi', aligning with the lure. The PDF_SEO_LINK_FARM heuristic indicates a large number of outbound links, many hosted on Shopify, suggesting an attempt to leverage legitimate platforms for distribution. No scripts were extracted from this sample.

Heuristics 4

PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK

PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM

Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
QR-code redirect lure medium SE_QR_LURE

Document instructs the user to scan a QR code with a phone — consistent with QR phishing, but also common in legitimate documents
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://ttraff.com/pify?keyword=how+to+reset+google+wifi
- http://files.levitytherapeutics.com/uploads/1/3/2/6/132681947/jobule-domep.pdf
- http://files.thestrangenamemovie.com/uploads/1/3/2/6/132681066/pomiwegowokuketilip.pdf
- http://files.panamahome.org/uploads/1/3/0/8/130814674/xewokuzefaxogo.pdf
- http://files.joeykoromart.com/uploads/1/3/0/7/130775707/kenikinad-relos.pdf
- http://files.bestfriendsah.ca/uploads/1/3/1/3/131381021/zofusuvesina.pdf
- https://cdn.shopify.com/s/files/1/0428/9835/8432/files/81603963226.pdf
- https://cdn.shopify.com/s/files/1/0428/2076/3804/files/piguruxujofug.pdf
- https://cdn.shopify.com/s/files/1/0427/6856/4380/files/wuwivajoxejoxunokaturan.pdf
- https://cdn.shopify.com/s/files/1/0436/3884/9694/files/69819854439.pdf
- https://cdn.shopify.com/s/files/1/0431/5742/2229/files/53173791084.pdf
- https://cdn.shopify.com/s/files/1/0432/5195/7923/files/lepefafojurizorusod.pdf
- https://cdn.shopify.com/s/files/1/0435/5837/1496/files/97608217777.pdf
- https://cdn.shopify.com/s/files/1/0427/9212/4572/files/wududa.pdf
- https://cdn.shopify.com/s/files/1/0433/8342/3128/files/pepusatirunotap.pdf
- https://cdn.shopify.com/s/files/1/0428/5690/6911/files/58180098115.pdf
- https://cdn.shopify.com/s/files/1/0437/0441/8459/files/nanedevipipoxawo.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off000062da.bin` `b3974c26eb3dc15858d4392564d04983ef93dcba4ffd8fc05178cbb49144c811`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x62DA	4780 bytes
`font_01_sfnt_off0000733c.bin` `a14801055b75f65003f5e298235b6a84ba820ef1e6b2d62c22b2ec49991f452f`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x733C	10464 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.