PDF malware analysis — malicious · fe444ba79d44ef4b

MALICIOUS

PDF

51.1 KB Created: 2020-09-01 01:37:18 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)

MD5: 3caf7200d20e18a327de73b1dfaf8304 SHA-1: 2be9521889bfb1905c6d7f26aab8512bdd2ca750 SHA-256: fe444ba79d44ef4b83dcd9c4ac1a7ae966e249b30ee2b0e2704c622ede7179e1

120 Risk Score

Malware Insights

MITRE ATT&CK

T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF file contains a heuristic firing for a malicious redirector link, specifically pointing to a URL related to 'austria visa application form'. This indicates a phishing or scam attempt. The document body, though heavily obfuscated, also contains the same URL. The file also exhibits characteristics of a link farm, with numerous embedded URLs, suggesting an attempt to manipulate search engine results or distribute malicious links.

Heuristics 3

PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK

PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM

Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://ttraff.ru/wix?keyword=austria+visa+application+form
- https://static.usrfiles.com/ugd/b8c837_9e56b2ce15c044e99ac8fe15d1b72301.pdf
- https://static.usrfiles.com/ugd/b8c837_4f926360824e48f68cdc451d1f424712.pdf
- https://static.usrfiles.com/ugd/d7ba0f_75049e07fcd1476aab40c4eaf817c031.pdf
- https://static.usrfiles.com/ugd/1df9ea_60411b2fff614d45a9ffaac6fb8cd06e.pdf
- https://static.usrfiles.com/ugd/b8c837_7af8bd65cb784c87af0e8e52cf512c72.pdf
- https://cdn.shopify.com/s/files/1/0430/9729/2967/files/73753307640.pdf
- https://cdn.shopify.com/s/files/1/0432/3636/0351/files/59538668185.pdf
- https://cdn.shopify.com/s/files/1/0437/8607/6309/files/angular_formarray_get_formgroup.pdf
- https://cdn.shopify.com/s/files/1/0434/2739/7797/files/novuvatefusesifefomif.pdf
- https://static.usrfiles.com/ugd/b8c837_0f6efb5891d44ca0b4e97c0a94d21fcd.pdf
- https://static.usrfiles.com/ugd/7c3584_5c6fd9ede5ed4ef3ab141b47655f7fef.pdf
- https://cdn.shopify.com/s/files/1/0436/6457/2569/files/download_to_word_converter_offline_software.pdf
- https://cdn.shopify.com/s/files/1/0428/7689/5398/files/jodomaxowevifu.pdf
- https://cdn.shopify.com/s/files/1/0432/6234/5384/files/tadebiwuwofipirar.pdf
- https://cdn.shopify.com/s/files/1/0434/0501/7249/files/fusutopolejuli.pdf
- https://cdn.shopify.com/s/files/1/0429/3391/1705/files/fulusafagunedemizezajorox.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 3

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off00007c8e.bin` `bead2154d80acae3b7dc876aabe0dbc64693eecf56b79ff1c53040ae3b2f77de`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x7C8E	4972 bytes
`font_01_sfnt_off00008d52.bin` `423bedcb0542a4cdb2be8662e365306def9ff62454943e6cf7c7eaab99209367`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x8D52	10468 bytes
`font_02_sfnt_off0000b112.bin` `05d2457133b820fa77aa358e30e9acfbad3f04c46ced9a37296d9311117db176`	pdf-font-stream	PDF embedded font (sfnt) at offset 0xB112	4324 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.