PDF malware analysis — malicious · 2e2b5d188bdbef4a

MALICIOUS

PDF

38.0 KB Created: 2020-08-04 23:11:50 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)

MD5: 6db8415b119724f75b103fe16b95ea39 SHA-1: 1c038ccbc825e195d829025fe1edb87861843d36 SHA-256: 2e2b5d188bdbef4aa53914056a90b5d0e5d71e1689382647bc64f4af6b0d054f

120 Risk Score

Malware Insights

MITRE ATT&CK

T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF file contains a large number of external links, many of which point to Shopify domains, but one critical link redirects to a known malicious infrastructure at 'ttraff.cc'. The document body, though heavily obfuscated, contains the same malicious URL, suggesting an attempt to disguise the malicious intent with a lure related to kindergarten worksheets. The primary attack pattern involves redirecting the user to a malicious site via a link embedded within the document.

Heuristics 3

PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK

PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM

Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://ttraff.cc/wb?keyword=prepositions%20in%20on%20under%20worksheets%20for%20kindergarten%20pdf
- http://files.christianconnectmedia.com/uploads/1/3/0/7/130775109/kaxamemurufoxef-gudewujakavotag-notikoj-wexog.pdf
- http://files.millenniagraphics.ca/uploads/1/3/2/6/132681812/574e13a18830.pdf
- http://files.acartem.com/uploads/1/3/0/9/130969751/1573999.pdf
- http://files.maryqueenofireland.com/uploads/1/3/1/0/131070820/3035846.pdf
- https://cdn.shopify.com/s/files/1/0433/2906/1014/files/kujokase.pdf
- https://cdn.shopify.com/s/files/1/0440/5824/7320/files/carlill_v_carbolic_smoke_ball_co_full_case.pdf
- https://cdn.shopify.com/s/files/1/0444/7456/4775/files/toastmasters_advanced_manuals_download.pdf
- https://cdn.shopify.com/s/files/1/0435/1718/2104/files/mevuwigelimabevomelububa.pdf
- https://cdn.shopify.com/s/files/1/0431/4369/2445/files/dimalurewadaxosasi.pdf
- https://cdn.shopify.com/s/files/1/0434/6911/1449/files/31140841498.pdf
- https://cdn.shopify.com/s/files/1/0431/8006/4936/files/walking_dead_comic_online.pdf
- https://cdn.shopify.com/s/files/1/0427/5725/9420/files/wofarifuxerofanad.pdf
- https://cdn.shopify.com/s/files/1/0430/8720/0418/files/fesefewowukutopewitop.pdf
- https://cdn.shopify.com/s/files/1/0431/0820/4704/files/42709051453.pdf
- https://cdn.shopify.com/s/files/1/0428/4999/2860/files/85093631597.pdf
- https://cdn.shopify.com/s/files/1/0434/4466/6529/files/ladejataduneno.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off0000559c.bin` `aa4ba44ad049b3de5aa9fe331697666f11d3a4ee66a6fd5f67eca09932f08b21`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x559C	5428 bytes
`font_01_sfnt_off00006823.bin` `7e6ee1b46a4e652b665b1db59af968b1a4399b65b623f8a28a25ecfe47b983e2`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x6823	10192 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.