PDF malware analysis — malicious · 1a9a58d92b6f31bd

MALICIOUS

PDF

46.9 KB Created: 2020-09-19 08:24:00 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)

MD5: 0824dcde2ef01fdbc8139b075ff1aac1 SHA-1: 6f50c521ab7bbe5f242f48ed5de0319bec9a1f9c SHA-256: 1a9a58d92b6f31bdf00ef5b4fc75ad54c9f89f2883d60f2e33a9702617f90045

128 Risk Score

Malware Insights

MITRE ATT&CK

T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF contains a malicious redirector link that points to 'ttraff.me', which is known for distributing malware. Additionally, it hosts a large number of external PDF links, many of which are benign but serve to obscure the malicious one. The presence of a 'download button' lure further supports the malicious intent.

Heuristics 4

PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK

PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM

Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTON

Document contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://ttraff.me/wix?keyword=mega+man+5+passwords
- https://cdn.shopify.com/s/files/1/0438/2133/4688/files/foxtel_entertainment_plus_tv_guide.pdf
- https://cdn.shopify.com/s/files/1/0480/5509/1364/files/angular_ui_modal_size.pdf
- https://cdn.shopify.com/s/files/1/0428/4494/6588/files/43020083697.pdf
- https://cdn.shopify.com/s/files/1/0432/1506/1153/files/segoxusomiwapopinekimu.pdf
- https://cdn.shopify.com/s/files/1/0433/2358/8773/files/wotimuzinizavugaz.pdf
- https://cdn.shopify.com/s/files/1/0432/6001/8852/files/64675695915.pdf
- https://cdn.shopify.com/s/files/1/0433/4823/0297/files/bgg_behindertengleichstellungsgesetz.pdf
- https://cdn.shopify.com/s/files/1/0431/3330/4993/files/80234170959.pdf
- https://cdn.shopify.com/s/files/1/0435/1354/4863/files/cemetery_gates_tab.pdf
- https://cdn.shopify.com/s/files/1/0432/6916/1110/files/arpav_dolomiti_meteo.pdf
- https://cdn.shopify.com/s/files/1/0433/0687/7080/files/sujaxitedidubabupopivup.pdf
- https://cdn.shopify.com/s/files/1/0481/4959/4267/files/after_we_fell_google_drive.pdf
- https://cdn.shopify.com/s/files/1/0434/4345/4102/files/application_of_gis_in_disaster_management.pdf
- https://cdn.shopify.com/s/files/1/0432/7460/0598/files/seluzixel.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 3

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off000061da.bin` `98d174f6f2da9e915cdba64bd6e2215fb226443c87dbaeef7eb3934178e31a59`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x61DA	3728 bytes
`font_01_sfnt_off00006f24.bin` `6b8d2804d5970ac4c84d2b84e340dab6f3b060eb8f635f2736ff5afc12ef48f9`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x6F24	5468 bytes
`font_02_sfnt_off000081c5.bin` `9891d800520f96a7c25da9a7bc061e0665cd772beeb50b7b5e6747e59cf0a4b8`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x81C5	14248 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.