PDF malware analysis — malicious · 310ba1559798150a

MALICIOUS

PDF

45.9 KB Created: 2020-08-28 02:41:13 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)

MD5: 40f9c20f1e255f64a9fe6d37ef86b504 SHA-1: 4db6f7c0c525cf0b26569e875baf82bab7e02278 SHA-256: 310ba1559798150a0d2d608da92999bde4dd13f8f0b0ae359019334da34b6a14

120 Risk Score

Malware Insights

MITRE ATT&CK

T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF file contains a large number of embedded links, many of which point to a redirector service. The primary malicious URL identified is https://ttraff.me/pify?keyword=thu%25E1%25BB%2591c+t%25C4%2583ng+c%25C3%25A2n+c%25E1%25BB%25A7a+nga, which is flagged as malicious. The document body, though partially corrupted, contains this same URL, suggesting an attempt to lure users to malicious content. The presence of a link farm heuristic further supports the malicious intent.

Heuristics 3

PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK

PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM

Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://ttraff.me/pify?keyword=thu%25E1%25BB%2591c+t%25C4%2583ng+c%25C3%25A2n+c%25E1%25BB%25A7a+nga
- http://zorukaf.roxaniart.com/uploads/1/3/2/6/132681670/294dbaaab579b04.pdf
- https://cdn.shopify.com/s/files/1/0431/4628/1120/files/caucho_definicion.pdf
- https://cdn.shopify.com/s/files/1/0430/1763/3949/files/70805113705.pdf
- https://cdn.shopify.com/s/files/1/0440/1758/2230/files/suwoneritarunududo.pdf
- https://cdn.shopify.com/s/files/1/0440/0221/4046/files/administracion_publica_libros.pdf
- https://cdn.shopify.com/s/files/1/0428/0342/9535/files/66618646229.pdf
- https://cdn.shopify.com/s/files/1/0432/5657/8206/files/27213389035.pdf
- https://cdn.shopify.com/s/files/1/0431/7796/7778/files/bidvest_namibia_information_technology_vacancies.pdf
- https://cdn.shopify.com/s/files/1/0433/4141/4552/files/82226273881.pdf
- https://cdn.shopify.com/s/files/1/0433/2158/9913/files/vuwunomotuwepifekupikinud.pdf
- https://cdn.shopify.com/s/files/1/0431/5214/6587/files/mad_catz_rat.pdf
- https://cdn.shopify.com/s/files/1/0441/0392/5912/files/kd_tree_java.pdf
- https://cdn.shopify.com/s/files/1/0465/0362/4856/files/angry_birds_transformers_unlimited_gems_hack.pdf
- https://cdn.shopify.com/s/files/1/0428/2250/0518/files/54065642952.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 3

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off00005c6b.bin` `a8fe82c7ac10f2a98d38ee6e428ebc247a09494aa163aedb334f15f0b5294d48`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x5C6B	5128 bytes
`font_01_sfnt_off00006c6c.bin` `25abb3e630c7da67d5bf9ba32f021c2cbdd2afc890cedc8eb85ff0c908102a6a`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x6C6C	21448 bytes
`font_02_sfnt_off00009b02.bin` `4fcfa7c68d76e23b667942a3ac892d2d5d88346478daafc61479ad4df4af3dd3`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x9B02	4324 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.