PDF malware analysis — malicious · 2de70031dddf9bfb

MALICIOUS

PDF

162.0 KB Created: 2020-08-23 02:45:36 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)

MD5: fdd211f8666093136f61ab8f38998d0e SHA-1: 74e0fcb92043e80056fac7cd09c518265909b8aa SHA-256: 2de70031dddf9bfb4e69c81b49b4a483846bf339b5e65908e01cd4ab589d2ffc

68 Risk Score

Malware Insights

MITRE ATT&CK

T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF file contains a heuristic firing for a malicious redirector link pointing to 'ttraff.com'. The document body, though partially corrupted, contains text related to 'complicated intra abdominal infection guidelines' and an urgency lure, suggesting a phishing or malware delivery attempt. The embedded URL is the primary indicator of malicious intent, likely serving as a gateway to a malicious payload or phishing page.

Heuristics 3

PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK

PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
Urgency / deadline lure low SE_URGENCY_LURE

Document contains urgency or deadline language ('account will be terminated', 'action required within 24 hours', etc.) — useful context, but low-signal without other findings
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://ttraff.com/pify?keyword=complicated+intra+abdominal+infection+guidelines
- http://files.romanticism55.com/uploads/1/3/1/3/131379748/tomejaduk.pdf
- http://files.warwickshirearmourmodellers.com/uploads/1/3/1/8/131871729/a634ae4137c.pdf
- https://cdn.shopify.com/s/files/1/0433/5838/8392/files/bygone_days_sheet_music.pdf
- https://cdn.shopify.com/s/files/1/0432/5123/7022/files/vowaxedomavipiturajiketa.pdf
- https://cdn.shopify.com/s/files/1/0431/6826/8456/files/el_inmortal_borges.pdf
- https://cdn.shopify.com/s/files/1/0430/8919/9268/files/3524860440.pdf
- https://cdn.shopify.com/s/files/1/0437/9095/8752/files/xifobemi.pdf
- https://cdn.shopify.com/s/files/1/0431/4392/1820/files/47079969967.pdf
- https://cdn.shopify.com/s/files/1/0431/6279/6186/files/adobe_acrobat_creator_free_download_for_windows_7.pdf
- https://cdn.shopify.com/s/files/1/0435/1010/4228/files/fobozoge.pdf
- https://cdn.shopify.com/s/files/1/0432/1535/6067/files/62546548845.pdf
- https://cdn.shopify.com/s/files/1/0433/8620/8406/files/magomuwivivapibova.pdf
- https://cdn.shopify.com/s/files/1/0431/5670/1346/files/35569282930.pdf
- https://cdn.shopify.com/s/files/1/0433/0697/5382/files/vadinozavibumugutekomus.pdf
- https://cdn.shopify.com/s/files/1/0440/0575/2997/files/dopejuzawaritogejokate.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 3

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off00022392.bin` `ad566c11c0fcc597f960421833c5dccaa6a4a01d3b4fb0ab22f0eacf9d683a80`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x22392	5520 bytes
`font_01_sfnt_off00023631.bin` `c7474f8dd4f1733b929b1297394fab5946886c807dee2788ac2e6a295e8fd7d0`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x23631	14828 bytes
`font_02_sfnt_off000264ce.bin` `c1c5bec23f514e5a59573dae6689e631a15e823593e27a279d634b7ba5ba0059`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x264CE	16272 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.