PDF malware analysis — malicious · 1c14be4db2d56828

MALICIOUS

PDF

63.2 KB Created: 2020-08-14 02:21:42 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)

MD5: 66020dfb4dc89347d519334a9d714cf8 SHA-1: 69d998059acab3c2a18f1aa133e444a2f96d9b8f SHA-256: 1c14be4db2d56828916b630eb66a9f9b36a3603c88e3df6f939bd964a8b94929

120 Risk Score

Malware Insights

MITRE ATT&CK

T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF contains a mass of external links, including one to a known malicious redirector at ttraff.com. The document body, though heavily obfuscated, contains the URL 'https://ttraff.com/pify?keyword=pulse+width+modulation+theory+pdf', indicating a lure to a malicious site. The presence of numerous Shopify-hosted PDF links suggests a link farm for SEO poisoning or traffic generation, with the primary malicious link being the entry point.

Heuristics 3

PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK

PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM

Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://ttraff.com/pify?keyword=pulse+width+modulation+theory+pdf
- http://koluzizol.myteachertoolbelt.com/uploads/1/3/1/4/131437826/gexegade.pdf
- http://tuwitami.pandgdolls.net/uploads/1/3/0/7/130775162/misuru-fuserav-pawexomupipeje-sapomoferijoti.pdf
- http://files.theseguinebook.org/uploads/1/3/1/3/131379054/zofizituzewodo-guxegufagodaru.pdf
- http://files.thebetterbrasspipe.com/uploads/1/3/2/7/132740218/daf3e1d8396c143.pdf
- http://milivopo.nicolasandysmillinery.com/uploads/1/3/1/3/131379578/tawuxovopujezolexu.pdf
- https://cdn.shopify.com/s/files/1/0447/1308/3036/files/anime_style_moba_apk.pdf
- https://cdn.shopify.com/s/files/1/0429/2742/3654/files/97418959459.pdf
- https://cdn.shopify.com/s/files/1/0440/0631/0046/files/sixth_sense_technology_in_ieee_format.pdf
- https://cdn.shopify.com/s/files/1/0434/6016/5797/files/wejiroxifa.pdf
- https://cdn.shopify.com/s/files/1/0431/6237/0202/files/odd_future_vans_for_sale.pdf
- https://cdn.shopify.com/s/files/1/0428/4533/9814/files/wezuzerupigipasitefowupe.pdf
- https://cdn.shopify.com/s/files/1/0433/5419/4085/files/2445594745.pdf
- https://cdn.shopify.com/s/files/1/0431/6217/3604/files/94430849029.pdf
- https://cdn.shopify.com/s/files/1/0434/8156/3286/files/dalijinaf.pdf
- https://cdn.shopify.com/s/files/1/0436/0273/9362/files/50861512056.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 3

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off000099cb.bin` `010c700956a1457f133756a2ce9d0fe00533e6f478f1b885de8c6d1f776eac96`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x99CB	5476 bytes
`font_01_sfnt_off0000ac57.bin` `f51bcdd7850c40352ae0d7e126c241afdc008a5e1ee3073d4655a18c7b1cb79c`	pdf-font-stream	PDF embedded font (sfnt) at offset 0xAC57	14304 bytes
`font_02_sfnt_off0000d9f6.bin` `e9f703c4ed1acc88334f39b92800ed538b4d6ca42673e399a1dae764d22c6fc1`	pdf-font-stream	PDF embedded font (sfnt) at offset 0xD9F6	16228 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.