PDF malware analysis — malicious · 317726275814873a

MALICIOUS

PDF

53.0 KB Created: 2020-08-27 20:00:56 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)

MD5: 57e5842df508125e3bce9be0a839aa2e SHA-1: 5cd49bf424b7f341342709c0aaba0ea7d1001d8a SHA-256: 317726275814873a0bd4b53dc4d1b6b3d60902533b85ad952861c3f2ab857765

120 Risk Score

Malware Insights

MITRE ATT&CK

T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF file contains a large number of embedded links, many of which point to a link farm hosted on cdn.shopify.com. One critical heuristic firing indicates that the PDF links to known malicious redirector infrastructure via the URL https://ttraff.com/pify?keyword=baahubali+telugu+songs+free++320kbps. This suggests the document is designed to trick users into clicking malicious links under the guise of providing popular media content.

Heuristics 3

PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK

PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM

Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://ttraff.com/pify?keyword=baahubali+telugu+songs+free++320kbps
- http://files.loumurrey.com/uploads/1/3/2/6/132682542/rajun.pdf
- http://files.chawneralmshouses.co.uk/uploads/1/3/2/7/132710632/najanutudoxogenurum.pdf
- http://gugif.pnba-artists.org/uploads/1/3/2/6/132681947/wuvoju.pdf
- https://cdn.shopify.com/s/files/1/0431/2317/9677/files/vuxexes.pdf
- https://cdn.shopify.com/s/files/1/0433/6576/1176/files/73342084991.pdf
- https://cdn.shopify.com/s/files/1/0435/6908/6623/files/update_python_mac.pdf
- https://cdn.shopify.com/s/files/1/0435/4444/5092/files/newejituduwaj.pdf
- https://cdn.shopify.com/s/files/1/0432/2174/5822/files/centrale_sans_condensed_font.pdf
- https://cdn.shopify.com/s/files/1/0433/0687/7080/files/todexarim.pdf
- https://cdn.shopify.com/s/files/1/0428/9835/8432/files/26965864763.pdf
- https://cdn.shopify.com/s/files/1/0432/9222/9787/files/afcat_2018_questions_with_answers.pdf
- https://cdn.shopify.com/s/files/1/0428/2925/0719/files/application_for_texas_title_form_130_u.pdf
- https://cdn.shopify.com/s/files/1/0434/2490/7414/files/powujikijukisepazanoto.pdf
- https://cdn.shopify.com/s/files/1/0433/9249/9868/files/are_banks_closed_on_presidents_day_2017.pdf
- https://cdn.shopify.com/s/files/1/0435/3641/6936/files/25661902024.pdf
- https://cdn.shopify.com/s/files/1/0432/8967/3883/files/zuses.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 3

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off00007a43.bin` `de03b5075912b9fda00169aba13053d53adeb842b42720d261944ed3a3b89bd4`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x7A43	5736 bytes
`font_01_sfnt_off00008dbd.bin` `dfe63c8ba3f680c98e3b52e34d09f9e32a5fa48dcc6b72dc38d19367374b6c22`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x8DBD	13472 bytes
`font_02_sfnt_off0000b8c2.bin` `0d0f64e27578eb124b8bc81c7eceacdd166e22eddd95c81328e9fbd7de2a6333`	pdf-font-stream	PDF embedded font (sfnt) at offset 0xB8C2	4324 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.