PDF malware analysis — malicious · 2618622a89240945

MALICIOUS

PDF

47.0 KB Created: 2020-08-30 00:27:21 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)

MD5: 522b84ff44f5b89f1cb612b0a923c5e9 SHA-1: d412e127825588aa460468ceb0578648074d21c8 SHA-256: 2618622a89240945c8902a5d5a583c1d4989001e89ef27c3e249cba95b154424

120 Risk Score

Malware Insights

MITRE ATT&CK

T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF file was identified as malicious due to the presence of a large number of embedded links, a technique often used for SEO link farms or to redirect users to malicious sites. One of the primary URLs, 'https://ttraff.com/wix?keyword=volver+con+ella+pdf', is flagged as a known malicious redirector. While many other links point to Shopify, the presence of the malicious redirector is a strong indicator of malicious intent.

Heuristics 3

PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK

PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM

Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://ttraff.com/wix?keyword=volver+con+ella+pdf
- https://cdn.shopify.c
- https://cdn.shopify.com/s/files/1/0433/5288/3352/files/75736315655.pdf
- https://cdn.shopify.com/s/files/1/0437/5163/7141/files/dotumem.pdf
- https://cdn.shopify.com/s/files/1/0431/7079/1573/files/49527251737.pdf
- https://cdn.shopify.com/s/files/1/0431/2023/0564/files/70143315198.pdf
- https://cdn.shopify.com/s/files/1/0429/0392/8991/files/apc_back_ups_xs_1000_manual.pdf
- https://cdn.shopify.com/s/files/1/0434/7199/5030/files/15510348373.pdf
- https://cdn.shopify.com/s/files/1/0431/3815/4657/files/5990615841.pdf
- https://cdn.shopify.com/s/files/1/0427/4746/1788/files/86340118287.pdf
- https://cdn.shopify.com/s/files/1/0431/5791/3754/files/chromecast_background_images_url.pdf
- https://cdn.shopify.com/s/files/1/0428/4642/1158/files/discord_markdown_strikethrough.pdf
- https://cdn.shopify.com/s/files/1/0429/9993/9235/files/carrera_armamentista_en_la_guerra_fria.pdf
- https://cdn.shopify.com/s/files/1/0439/6479/2990/files/lituzikorowotiles.pdf
- https://static.usrfiles.com/ugd/c5d40f_8e6dd51b99f7492cb5539bc606c96974.pdf
- https://static.usrfiles.com/ugd/b8c837_2f4c05d4cd9f4809ad1a8fb468ce694b.pdf
- https://static.usrfiles.com/ugd/1cfe37_d458656441314c9bacf056a5ac547b09.pdf
- https://static.usrfiles.com/ugd/b8c837_f233452c5c7f4ad3997400f5b8f625a5.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 3

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off00006cc2.bin` `6a2d15697871194caa87e108072bb62bc857844b5ff458ef5dbb5462068c4007`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x6CC2	4996 bytes
`font_01_sfnt_off00007dcc.bin` `1f756b46481ac718095810e133e155ec1caf818687d25c20e8b002f727d713c7`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x7DCC	2116 bytes
`font_02_sfnt_off00008778.bin` `e084c84f3fd23456e867a5cd5744089d8ba1eeb699723f205644e9eef4e007fc`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x8778	11552 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.