PDF malware analysis — malicious · fd0feb57771a47c7

MALICIOUS

PDF

43.1 KB Created: 2020-09-01 11:29:59 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)

MD5: 5ce6eaa96f4a9b54a583c7aa9f63c48a SHA-1: 1fe189fc55d9dd8bed2ca5ff87b5aec53a4db541 SHA-256: fd0feb57771a47c7ac9f2902c70f33b12ba2a3300888d7e57ae9365a18e84c59

120 Risk Score

Malware Insights

MITRE ATT&CK

T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF file contains a mass of external links, with one prominent link pointing to a known malicious redirector. The document body, though heavily obfuscated, contains text related to 'ambient mode android 10' and the malicious URL, suggesting a lure to trick users into clicking the link. The presence of numerous PDF links, many hosted on Shopify, indicates a link farm strategy to distribute the malicious payload.

Heuristics 3

PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK

PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM

Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://ttraff.com/wix?keyword=ambient+mode+android+10
- https://cdn.shopify.com/s/files/1/0437/9534/9661/files/28057404577.pdf
- https://cdn.shopify.com/s/files/1/0428/1591/4151/files/43991507911.pdf
- https://cdn.shopify.com/s/files/1/0429/9869/4042/files/75591840422.pdf
- https://cdn.shopify.com/s/files/1/0431/5955/2155/files/sepokivenasuxuz.pdf
- https://cdn.shopify.com/s/files/1/0431/5093/4173/files/96980239979.pdf
- https://static.usrfiles.com/ugd/1b8612_d8d2180a94d1466894ed35156c1a8e2d.pdf
- https://static.usrfiles.com/ugd/e2f7e1_84a9a0fc75c04d2bad9a469f52d93d89.pdf
- https://static.usrfiles.com/ugd/3bca44_2f728a4bf36543bd901615ff6a77168b.pdf
- https://cdn.shopify.com/s/files/1/0432/6152/6166/files/fegetexavafigaw.pdf
- https://cdn.shopify.com/s/files/1/0437/1985/2187/files/18581073339.pdf
- https://cdn.shopify.com/s/files/1/0438/6524/3813/files/adobe_reader_free_download_software_for_windows_7.pdf
- https://cdn.shopify.com/s/files/1/0432/2977/3982/files/55853884789.pdf
- https://cdn.shopify.com/s/files/1/0430/7661/6341/files/fozonuzavurasonuwiloru.pdf
- https://cdn.shopify.com/s/files/1/0437/7113/4106/files/carduran_bula.pdf
- https://cdn.shopify.com/s/files/1/0432/1126/0062/files/mupojuj.pdf
- https://cdn.shopify.com/s/files/1/0440/3894/6981/files/peachtree_accounting_tutorial_free_download.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 3

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off00006110.bin` `03a7af3aa5efdd6567e79375dd8810b42c6adeac704f658caee797978898f585`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x6110	5084 bytes
`font_01_sfnt_off0000723b.bin` `9f8eff03390f4acaaf00b60f121afe18ba4c2e5c518c4e7eced54e2ce79afe4a`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x723B	2096 bytes
`font_02_sfnt_off00007bd3.bin` `aca7277cfa754b96a36759f18bd348aa6453a76fcdc83a32d60fa0b958f4c2e8`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x7BD3	10432 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.