PDF malware analysis — malicious · 22973610bb0d2de2

MALICIOUS

PDF

45.6 KB Created: 2020-07-30 05:11:39 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)

MD5: 80a6ba9de13d4f595931ac3aefd9376e SHA-1: 67eba76154d1d14b01bbdcf5ffdfbccd82941bee SHA-256: 22973610bb0d2de2a45e66e45d0c69b42357952a1bd7e23f5f59ffc7cc81a829

120 Risk Score

Malware Insights

MITRE ATT&CK

T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF file contains a heuristic firing for a malicious redirector link, specifically pointing to 'ttraff.cc'. The document body, though heavily obfuscated, suggests a 'job application cover letter' lure. The file also exhibits characteristics of a link farm, with numerous embedded URLs, many hosted on Shopify, likely to improve search engine ranking and distribute the malicious payload. No scripts were extracted from this sample.

Heuristics 3

PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK

PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM

Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://ttraff.cc/pify?keyword=job+application+cover+letter+pdf
- http://files.sondikakoaukera.com/uploads/1/3/1/3/131381722/vapevulutawoxurowog.pdf
- http://files.kb-marine.com/uploads/1/3/2/7/132740665/8047495.pdf
- http://files.jurneyofhope.com/uploads/1/3/1/4/131406717/35cbad5b2.pdf
- http://files.bespokeoff-road.com/uploads/1/3/2/6/132681812/damimexufilobasalak.pdf
- http://files.bespokeoff-road.com/uploads/1/3/2/6/132681812/damimexuf
- https://cdn.shopify.com/s/files/1/0436/5287/4390/files/kaxusigaridubonegirufa.pdf
- https://cdn.shopify.com/s/files/1/0432/9357/3284/files/66151395479.pdf
- https://cdn.shopify.com/s/files/1/0430/5027/0869/files/togagopowipabaligeguj.pdf
- https://cdn.shopify.com/s/files/1/0434/8300/5078/files/44013173102.pdf
- https://cdn.shopify.com/s/files/1/0429/8955/1770/files/19498444342.pdf
- https://cdn.shopify.com/s/files/1/0434/5161/3334/files/nekesesetoxesomi.pdf
- https://cdn.shopify.com/s/files/1/0430/8611/9079/files/figinaramop.pdf
- https://cdn.shopify.com/s/files/1/0439/2960/0168/files/vikejofesuboxagegenabebon.pdf
- https://cdn.shopify.com/s/files/1/0434/7399/3890/files/xijoli.pdf
- https://cdn.shopify.com/s/files/1/0428/9835/8432/files/kemisavixazesunomezixe.pdf
- https://cdn.shopify.com/s/files/1/0432/3767/1080/files/fanotawifesug.pdf
- https://cdn.shopify.com/s/files/1/0432/5618/5000/files/12424104301.pdf
- https://cdn.shopify.com/s/files/1/0431/6977/5782/files/nupixugelemekuxexigulu.pdf
- https://cdn.shopify.com/s/files/1/0428/2672/7580/files/kazavuvakexaxetik.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off000076e0.bin` `a49b1453c98a6f82ffa9b87285b55013be879a9cc11ee90ccddb5b92e179c762`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x76E0	4948 bytes
`font_01_sfnt_off000087b8.bin` `991bf16fdb23ce7a0d404f9fd4bf7d687f7deaea9eaf46194134843b507dc030`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x87B8	9872 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.