PDF malware analysis — malicious · 29db1e02b39e8085

MALICIOUS

PDF

41.0 KB Created: 2020-08-29 19:01:22 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)

MD5: 8920ced39357648b95d367c997530db1 SHA-1: 26a7f8392ec40dd5f7b2e8f3544f54a6de60bb0b SHA-256: 29db1e02b39e8085f81dc7157ebb0d82be061f0e51048e20edc5f49d2d8231b8

120 Risk Score

Malware Insights

MITRE ATT&CK

T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF file contains a heuristic firing for a malicious redirector link, pointing to 'https://ttraff.club/wix?keyword=xenoverse+2+guru+rewards'. Additionally, it exhibits characteristics of a PDF link farm, with numerous embedded links, many hosted on Shopify. The document body, though heavily obfuscated, contains the malicious URL and appears to be a lure related to game rewards. The primary attack pattern involves tricking the user into clicking the malicious link.

Heuristics 3

PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK

PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM

Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://ttraff.club/wix?keyword=xenoverse+2+guru+rewards
- https://cdn.shopify.com/s/files/1/0437/8502/7745/files/mipitugezuzurojirop.pdf
- https://cdn.shopify.com/s/files/1/0432/2590/7368/files/sample_application_letter_for_teaching_position_in_high_school.pdf
- https://cdn.shopify.com/s/files/1/0429/4960/7590/files/66698485210.pdf
- https://cdn.shopify.com/s/files/1/0429/2316/3801/files/laxitaramezoxeva.pdf
- https://static.usrfiles.com/ugd/b8c837_e8ce41ed67484d7aac2e39a0f21bf604.pdf
- https://static.usrfiles.com/ugd/61b8bf_304e87d022a74f5680acec894f1ed06f.pdf
- https://static.usrfiles.com/ugd/b8c837_6366e65a4a3b459eb9fa0198f48752ea.pdf
- https://static.usrfiles.com/ugd/b8c837_17f1c1cc5e7d4cbe956763da8340c39f.pdf
- https://static.usrfiles.com/ugd/b8c837_86c9a4350dd940938455b2054075c08f.pdf
- https://static.usrfiles.com/ugd/b8c837_95a2de1656cb4c7db8a4ad7c9169c6ee.pdf
- https://static.usrfiles.com/ugd/b8c837_72352d5fda344b42a69c506199c407bb.pdf
- https://static.usrfiles.com/ugd/b8c837_ce9fe9742dad456c8961b1dc3fe4173d.pdf
- https://static.usrfiles.com/ugd/b8c837_17deed89015940d9a6f183a05e92f7a5.pdf
- https://static.usrfiles.com/ugd/b8c837_625fc9eed6064170b7865bbc90d4bb3c.pdf
- https://static.usrfiles.com/ugd/b8c837_c882a1daaa0040a3a135eded686fe671.pdf
- https://static.usrfiles.com/ugd/b8c837_fe4db59a38d34125ab614f0278647cb5.pdf
- https://static.usrfiles.com/ugd/b8c837_6af7c90fc7c6482182a8da4ad1b15588.pdf
- https://static.usrfiles.com/ugd/b8c837_aa221773c22547fdb89987f057ae7911.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off000061a1.bin` `d92b34872d45add35c468f55894f8cdaf2fb24a8411eac532d6abe56f609aa99`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x61A1	5224 bytes
`font_01_sfnt_off00007382.bin` `6811449880ac72f1bafdb296c579325b837a0790d0e53aed05832e7225e14f17`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x7382	10420 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.