PDF malware analysis — malicious · 3145a6fd8ef9217c

MALICIOUS

PDF

47.1 KB Created: 2020-08-14 21:48:47 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)

MD5: 65714bed63695ec411bcd20d934e8aa8 SHA-1: 26427805e8d630ef00ce76cc0643fd3fe34065e5 SHA-256: 3145a6fd8ef9217c956065736585ee5991e65b83f012224e62b9d1b75496a803

120 Risk Score

Malware Insights

MITRE ATT&CK

T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF file contains a critical heuristic firing for a malicious redirector link, pointing to 'ttraff.com'. The document body, though heavily obfuscated, includes the same URL and a reference to 'Aslan pharmaceuticals ltd annual report', suggesting a lure. Another critical heuristic indicates a PDF link farm, with the highest-priority URL being a Shopify link that is likely part of the same distribution chain. No scripts were extracted from this sample.

Heuristics 3

PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK

PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM

Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://ttraff.com/pify?keyword=aslan+pharmaceuticals+ltd+annual+report
- http://files.provhaitioutreach.org/uploads/1/3/1/1/131164446/bakaxejufa.pdf
- http://sitowel.gbtransplantcycling.com/uploads/1/3/2/6/132682076/vowupuw.pdf
- http://files.kenleverart.com/uploads/1/3/0/7/130775529/5fc4f4a.pdf
- http://naruxuf.skellysongs.com/uploads/1/3/1/1/131163927/nafupe-paduparu-kaxepedenu.pdf
- https://cdn.shopify.com/s/files/1/0432/2571/0756/files/analog_and_digital_electronics_download.pdf
- https://cdn.shopify.com/s/files/1/0433/2873/3352/files/38932984482.pdf
- https://cdn.shopify.com/s/files/1/0430/8254/7361/files/29479270362.pdf
- https://cdn.shopify.com/s/files/1/0433/3866/2053/files/zimapipodogibilosuvuwuter.pdf
- https://cdn.shopify.com/s/files/1/0433/4216/8218/files/fobebijoratiza.pdf
- https://cdn.shopify.com/s/files/1/0432/1509/3924/files/ditakimamizejutiserodavo.pdf
- https://cdn.shopify.com/s/files/1/0433/0687/7080/files/97454987384.pdf
- https://cdn.shopify.com/s/files/1/0431/6761/3087/files/85332214981.pdf
- https://cdn.shopify.com/s/files/1/0431/5624/2581/files/rename_multiple_columns_in_r.pdf
- https://cdn.shopify.com/s/files/1/0432/3141/2379/files/lofasu.pdf
- https://cdn.shopify.com/s/files/1/0432/4553/5400/files/tegunegadoganomuzezodulo.pdf
- https://cdn.shopify.com/s/files/1/0433/0687/7080/files/jewepogepavab.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 3

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off00006928.bin` `a8256523c2d63f807e6cbbe9b9e4f81b1aae151147077bf74e0a03925b35bd27`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x6928	2984 bytes
`font_01_sfnt_off000073d8.bin` `ef5be0c3b187aeccb347579755f558aa17b5c6375b71e6221cbdc41141734151`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x73D8	5300 bytes
`font_02_sfnt_off000085a1.bin` `de416fbebbac59380c0b595686a6f1e0fc207901d218bcf477f05bb6a8f76acc`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x85A1	11676 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.