PDF malware analysis — malicious · 28a8cbb4b05b1958

MALICIOUS

PDF

45.0 KB Created: 2020-08-16 11:00:01 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)

MD5: 888ffb8916c6e638442a2b3bfce08d35 SHA-1: 7aa25f507a5acec8a1a3a9c5db0fd127f88a9b32 SHA-256: 28a8cbb4b05b1958607c5d53cfada6307577f718b441462f6a32495a7279901c

120 Risk Score

Malware Insights

MITRE ATT&CK

T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF file contains a heuristic firing for a malicious redirector link, which is also present in the document body. This link points to 'ttraff.com', suggesting a phishing or scam attempt. The file also contains a PDF link farm heuristic, indicating a potential SEO poisoning or spamming technique. No scripts were extracted, and the document body is heavily obfuscated, but the presence of the malicious redirector is a strong indicator of malicious intent.

Heuristics 3

PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK

PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM

Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://ttraff.com/pify?keyword=area+volume+of+different+shapes+pdf
- http://vemib.cdjff.org/uploads/1/3/2/8/132814930/1a1f3b79771.pdf
- https://cdn.shopify.com/s/files/1/0438/3290/1789/files/skripsi_media_audio_visual.pdf
- https://cdn.shopify.com/s/files/1/0436/0273/9362/files/manualidades_con_material_de_reciclaje.pdf
- https://cdn.shopify.com/s/files/1/0429/2080/4511/files/roleruj.pdf
- https://cdn.shopify.com/s/files/1/0429/2742/3654/files/manonevafenalimu.pdf
- https://cdn.shopify.com/s/files/1/0434/1320/9246/files/wajisewexemumava.pdf
- https://cdn.shopify.com/s/files/1/0438/1245/4560/files/62506480962.pdf
- https://cdn.shopify.com/s/files/1/0435/4621/4564/files/treble_booster_app_for_android_phone.pdf
- https://cdn.shopify.com/s/files/1/0429/9656/4131/files/21486495866.pdf
- https://cdn.shopify.com/s/files/1/0437/7041/3207/files/list_of_all_bharat_ratna_award_winners.pdf
- https://cdn.shopify.com/s/files/1/0433/5117/9416/files/ty_beanie_baby_pricing_guide.pdf
- https://cdn.shopify.com/s/files/1/0440/3894/6981/files/33080625628.pdf
- https://cdn.shopify.com/s/files/1/0429/1775/7095/files/fidazolafimejaxe.pdf
- https://cdn.shopify.com/s/files/1/0433/1523/2921/files/xetidigefigemo.pdf
- https://cdn.shopify.com/s/files/1/0437/5629/0206/files/american_horror_story_cult_parents_guide.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 3

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off0000658b.bin` `f28dd06468c6a227ae4069fb956013c7b7ed86fc9115ead6676295b6d6a581cd`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x658B	5212 bytes
`font_01_sfnt_off00007715.bin` `165bf1327f3a7959b8be6fe3a4f1df9c2e9ce8445d9f780fce66b60f9edb294b`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x7715	9924 bytes
`font_02_sfnt_off00009917.bin` `4fcfa7c68d76e23b667942a3ac892d2d5d88346478daafc61479ad4df4af3dd3`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x9917	4324 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.