PDF malware analysis — malicious · 19c5d23a567c369c

MALICIOUS

PDF

50.1 KB Created: 2020-09-19 02:01:44 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)

MD5: 95972098993b2af670cbd2a4c3ffa40c SHA-1: ea6ec92e9b84416d0a507e046538061f54f6c795 SHA-256: 19c5d23a567c369c2ac3d3868d30ba0ac1e5d2e2654aa4ff7f993d80425d8031

120 Risk Score

Malware Insights

MITRE ATT&CK

T1566.002 Spearphishing Attachment T1204.002 Malicious Link

This PDF file contains a large number of external links, forming a link farm designed to obscure the ultimate destination. One of the primary links, 'https://ttraff.link/pify?keyword=kamasutra+guide+pdf', is identified as a malicious redirector. The document body, though heavily corrupted, contains references to 'kamasutra guide pdf' and 'wkhtmltopdf', suggesting a lure to potentially malicious content disguised as a guide. The presence of numerous links to files hosted on filesusr.com and cdn.shopify.com, while some are confirmed benign, indicates a pattern of using these platforms to host or redirect to malicious content.

Heuristics 3

PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK

PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM

Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://ttraff.link/pify?keyword=kamasutra+guide+pdf
- https://a1438eee-739e-4586-819d-a54c2b1257cb.filesusr.com/ugd/221eaa_51b5ee2c84d543a4a548582935f98d7f.pdf?index=true
- https://c122369f-ca16-4a77-b258-017edebe6a1c.filesusr.com/ugd/69695d_3e3f144fc5804104b3c5c6f362ccba89.pdf?index=true
- https://5c5066ca-32a5-4287-9474-a1a9a8bebc3b.filesusr.com/ugd/a13bc2_41423a450f73410d9ec3c03d9583aa99.pdf?index=true
- https://10f2ac82-2875-402b-9de5-ec958f27e8cc.filesusr.com/ugd/61c57f_0d6be53fbfb847aeb85fa6741a411899.pdf?index=true
- https://cbab9926-721e-45a9-bcae-ef20b9332f21.filesusr.com/ugd/4aae87_a72d7b5067784193ab0e39238446e8fd.pdf?index=true
- https://cdn.shopify.com/s/files/1/0431/7960/6177/files/carroll_diagram_worksheet.pdf
- https://cdn.shopify.com/s/files/1/0431/5312/9640/files/goxinilagexal.pdf
- https://cdn.shopify.com/s/files/1/0432/5693/8664/files/zexipa.pdf
- https://cdn.shopify.com/s/files/1/0432/4648/5672/files/fotimezoramazujerurepew.pdf
- https://15ba0d2c-c203-4433-b8dc-de79f38f803c.filesusr.com/ugd/90661f_2d40e42f68194818b5e15b48696cef3e.pdf?index=true
- https://99069c84-4f27-4a2f-badb-c2d950581524.filesusr.com/ugd/4b7290_b0f1bb3b16624b5a833d5339d2a77bd6.pdf?index=true
- https://bfb8a24c-73bb-4c62-b540-5300ff80ec40.filesusr.com/ugd/c1de29_9fb305b87461414589c303f4bb1594b4.pdf?index=true
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off00008690.bin` `63769a2ac12d6a0cf8c3badb54b51e562a1dd0dacf0ffc3f05a515968f805762`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x8690	5300 bytes
`font_01_sfnt_off00009887.bin` `b603441a9bde310eb0f445f0267b5480d301fd08a272708a28c7e6d2ad57e0a2`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x9887	10496 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.