PDF malware analysis — malicious · 298da24b5d54aedb

MALICIOUS

PDF

56.1 KB Created: 2020-08-19 01:59:46 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)

MD5: 7f41a9785440ed357f8257669ec6aeab SHA-1: e34ff73b5f7d4437c62c6632b1675506418a2aad SHA-256: 298da24b5d54aedb7d8ca532a8bebc42807804852b264c5a382e2ca8547b71d2

120 Risk Score

Malware Insights

MITRE ATT&CK

T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF file contains numerous embedded links, many of which point to a link farm hosted on Shopify. One critical heuristic firing indicates a PDF link to a known malicious redirector infrastructure at 'ttraff.cc'. The document body, though heavily obfuscated, contains the text 'Supply chain management pdf for mba' and the malicious redirector URL, suggesting a lure to trick users into clicking the malicious link. No scripts were extracted from this sample.

Heuristics 3

PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK

PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM

Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://ttraff.cc/pify?keyword=supply+chain+management+pdf+for+mba
- http://files.vytru.com/uploads/1/3/0/7/130776712/1c9ae906.pdf
- http://files.thienphuoccharity.com/uploads/1/3/1/8/131857115/gatozogemufumif.pdf
- http://files.stresswiseatwork.co.uk/uploads/1/3/1/6/131607163/faxuvavorano_rasunab_saroxarutenig.pdf
- http://files.maeveolynn.com/uploads/1/3/0/7/130775893/lomuvuwago.pdf
- https://cdn.shopify.com/s/files/1/0428/0126/6851/files/14087044087.pdf
- https://cdn.shopify.com/s/files/1/0440/6516/1366/files/65277980678.pdf
- https://cdn.shopify.com/s/files/1/0435/7462/4419/files/22707715488.pdf
- https://cdn.shopify.com/s/files/1/0432/5769/2320/files/26705735307.pdf
- https://cdn.shopify.com/s/files/1/0431/1960/7962/files/jimabebozopa.pdf
- https://cdn.shopify.com/s/files/1/0433/0687/7080/files/21800621301.pdf
- https://cdn.shopify.com/s/files/1/0433/5281/7832/files/27554508493.pdf
- https://cdn.shopify.com/s/files/1/0434/5744/6050/files/wevaxusivimawule.pdf
- https://cdn.shopify.com/s/files/1/0429/6966/1589/files/difepesokexoral.pdf
- https://cdn.shopify.com/s/files/1/0433/2666/8952/files/3dplm_aptitude_questions_2016.pdf
- https://cdn.shopify.com/s/files/1/0429/3450/1535/files/81509440445.pdf
- https://cdn.shopify.com/s/files/1/0437/3538/4225/files/circus_circus_menu.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 3

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off00008dbe.bin` `fbb882632ab5f978f0e56a6a66d251243d427d0888ae19ed9c76c65638f715fc`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x8DBE	5616 bytes
`font_01_sfnt_off0000a09d.bin` `867231335fe2961a92dcb2b59d5a0b202c11d248c728ddcc77d67feb0700ee3c`	pdf-font-stream	PDF embedded font (sfnt) at offset 0xA09D	10592 bytes
`font_02_sfnt_off0000c4d5.bin` `d1f4a20f0e35a0564be54678b929bb8c711862c507f070c2b9a6abea8daf4378`	pdf-font-stream	PDF embedded font (sfnt) at offset 0xC4D5	4324 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.