PDF malware analysis — malicious · 1c85254e16492ee5

MALICIOUS

PDF

71.4 KB Created: 2020-09-17 08:54:17 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)

MD5: 85f742d9941cfbdb8008ff107ff3f9c5 SHA-1: a7cda5b5541f19ef5d9897b3396b39fdc9276e35 SHA-256: 1c85254e16492ee50346619d61293a5de6f171ce2a78701aef98034243fb1bf7

120 Risk Score

Malware Insights

MITRE ATT&CK

T1566.002 Spearphishing Attachment T1059.001 PowerShell T1204.002 Malicious Link

The PDF file contains a large number of embedded links, many of which point to external resources, a technique often used to obscure malicious intent or to create a link farm for SEO poisoning. One critical heuristic firing indicates a direct link to a known malicious redirector, 'ttraff.link', which is used in conjunction with a keyword related to academic content. This suggests a phishing or malware delivery attempt disguised as an academic resource.

Heuristics 3

PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK

PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM

Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://ttraff.link/wix?keyword=edward+said+orientalism+summary+slideshare
- http://files.danvilletrikappa.org/uploads/1/3/0/8/130874067/cba5cd008.pdf
- http://rotawegaz.treehousebuys.com/uploads/1/3/2/7/132710677/1a9c86403cb04.pdf
- http://files.danvilletrikappa.org/uploads/1/3/0/8/130874067/cba5cd008
- https://cdn.shopify.com/s/files/1/0434/7795/8822/files/bovopofaxomajoriwolonasir.pdf
- https://cdn.shopify.com/s/files/1/0431/4107/1016/files/oxford_bookworms_library_stage_6_the_woman_in_white.pdf
- https://cdn.shopify.com/s/files/1/0434/1517/5335/files/fobizolugi.pdf
- https://cdn.shopify.com/s/files/1/0435/4329/8207/files/.pdf
- https://487e2efa-8b3a-4c19-b088-d7eab8f485e8.filesusr.com/ugd/69695d_b6efb9b044db4badba983f0987557f53.pdf?index=true
- https://a4135a05-8eae-489a-b644-94acbe6750fb.filesusr.com/ugd/a18601_c045e24f02734dbf85b40f96b5f24572.pdf?index=true
- https://8df40ebd-13f0-4e63-86cd-1a9f98b7a360.filesusr.com/ugd/0e6328_bd25c6eb5c82435db112bb642efa627f.pdf?index=true
- https://f3690bef-1d66-445b-bda2-c3f3c9bb2fe0.filesusr.com/ugd/aa14a9_fbe581f6259b4074a772611d8ab50d49.pdf?index=true
- https://c7323f14-8c6f-43f1-b54a-6b2a61d290fb.filesusr.com/ugd/43d598_110e78dbb8e24bc8bc5e8e67cc7b054f.pdf?index=true
- https://b5b3e5c8-5807-4c85-8f27-8b7d0e237dac.filesusr.com/ugd/0b46e6_fad31ae4cc0142ae94257b70600cef2c.pdf?index=true
- https://b63e9ec7-6fdc-44a9-bcec-1842a7eeb0e8.filesusr.com/ugd/105a8c_02867643e7c54439882b858b3679fb24.pdf?index=true
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off0000daf6.bin` `811b7e029f9a9fe54a90d6658833c707df50f11cd5d4b56f4a6be60a9833f057`	pdf-font-stream	PDF embedded font (sfnt) at offset 0xDAF6	5216 bytes
`font_01_sfnt_off0000eca0.bin` `7853ecf2206f1d1843a57265625858b7a93b61c9e0bab5ad4212e71b704dd960`	pdf-font-stream	PDF embedded font (sfnt) at offset 0xECA0	10516 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.