PDF malware analysis — malicious · 299ead8d3a5d683a

MALICIOUS

PDF

52.8 KB Created: 2020-08-18 23:59:02 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)

MD5: 8a7436130c67811137ab8ea188c88953 SHA-1: 2412a8ecc79b3dfb099137e400b66b44c1a07569 SHA-256: 299ead8d3a5d683a36d7e4ccddc75274b5696e18dd088300b4d46c081cee27cb

120 Risk Score

Malware Insights

MITRE ATT&CK

T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF file contains a link to a known malicious redirector, ttraff.cc, which is likely intended to lead the user to a malicious payload or phishing site. The document body, though heavily obfuscated, contains the same URL and references to 'Greatest American Hero theme song', suggesting a lure. The PDF also exhibits characteristics of a link farm, with numerous embedded links to other PDF files, many hosted on Shopify. This suggests a campaign distributing malicious content through a network of linked documents.

Heuristics 3

PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK

PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM

Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://ttraff.cc/pify?keyword=greatest+american+hero+theme+song
- http://files.bluewaterhomeschool.com/uploads/1/3/1/4/131406935/xebemedasuxel.pdf
- http://womaj.calleptsa.org/uploads/1/3/0/8/130814328/wimamowu.pdf
- http://files.clubsaustralia-industrial.com/uploads/1/3/0/7/130739470/810e3fb5d.pdf
- https://cdn.shopify.com/s/files/1/0437/8168/5406/files/fajiresupusopenavusov.pdf
- https://cdn.shopify.com/s/files/1/0428/9835/8432/files/wadilizesiwegokadokepub.pdf
- https://cdn.shopify.com/s/files/1/0434/6255/7856/files/traditional_bookbinding_techniques.pdf
- https://cdn.shopify.com/s/files/1/0433/4478/9669/files/netimufufixipevama.pdf
- https://cdn.shopify.com/s/files/1/0437/8722/3198/files/25956295774.pdf
- https://cdn.shopify.com/s/files/1/0427/5837/3542/files/naravoletebunixupavosi.pdf
- https://cdn.shopify.com/s/files/1/0430/8185/9225/files/adobe_premiere_tutorial_free.pdf
- https://cdn.shopify.com/s/files/1/0430/9506/4730/files/water_pollution_research_articles.pdf
- https://cdn.shopify.com/s/files/1/0432/9209/8726/files/vusomarozitixizosagun.pdf
- https://cdn.shopify.com/s/files/1/0439/1819/6891/files/lignocellulosic_materials.pdf
- https://cdn.shopify.com/s/files/1/0430/8336/6551/files/taxege.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 3

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off000083c8.bin` `ebbd2b42491c2b3ffa5526420f3ae64113188b33930ab520ba08eab0d468de9c`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x83C8	4080 bytes
`font_01_sfnt_off0000922e.bin` `8f741b70f6d66b255ceedaeafc3864bd9a2154f67468dd8fb3d5dd4e9bf91c35`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x922E	5212 bytes
`font_02_sfnt_off0000a3bd.bin` `596fe1033303a7d1b2c8d1a0003298ffb25d468cab8cb0eaa00d293509ed1498`	pdf-font-stream	PDF embedded font (sfnt) at offset 0xA3BD	10024 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.