PDF malware analysis — malicious · 35004fc93951548f

MALICIOUS

PDF

47.0 KB Created: 2020-07-31 16:40:05 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)

MD5: 4b167f539708eeb6865b77cc351ae914 SHA-1: f7401d0dddc9109594494469163e4a20e678d190 SHA-256: 35004fc93951548f64ead1a2aad0e35f7e72a2347ef43d30cf2e9886fdddc207

120 Risk Score

Malware Insights

MITRE ATT&CK

T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF contains a heuristic firing for a malicious redirector link, pointing to `https://ttraff.cc/pify?keyword=fire+by+kristin+cashore+pdf`. This URL is embedded within the document body, suggesting a social engineering lure. The PDF also contains a large number of external links, many hosted on `cdn.shopify.com`, indicating a link farm for SEO manipulation or distribution. The primary malicious URL is the most critical IOC.

Heuristics 3

PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK

PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM

Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://ttraff.cc/pify?keyword=fire+by+kristin+cashore+pdf
- http://files.section27alliance.com/uploads/1/3/0/9/130969480/xemax.pdf
- http://files.shopelizabethann.com/uploads/1/3/0/7/130776341/e2e41.pdf
- http://files.regenbiopharmainc.com/uploads/1/3/1/3/131398360/kizorasapesavu-pegurepijejano-rigut.pdf
- http://files.portchestereyecare.com/uploads/1/3/1/4/131406442/5394a.pdf
- http://files.deft-touch.com/uploads/1/3/0/8/130814676/kozofumo-zavoridirar.pdf
- http://files.deft-touch.com/uploads/1/3/0/8/130814676/kozofumo-zavoridir
- https://cdn.shopify.com/s/files/1/0427/8406/3654/files/rululipapilitagil.pdf
- https://cdn.shopify.com/s/files/1/0429/7755/8681/files/63375668089.pdf
- https://cdn.shopify.com/s/files/1/0429/5753/7439/files/53103211926.pdf
- https://cdn.shopify.com/s/files/1/0436/9252/3675/files/luromu.pdf
- https://cdn.shopify.com/s/files/1/0434/0265/7957/files/javajetazonuxos.pdf
- https://cdn.shopify.com/s/files/1/0433/0710/6462/files/51374790035.pdf
- https://cdn.shopify.com/s/files/1/0437/7434/5365/files/zaxuretoramirerofadij.pdf
- https://cdn.shopify.com/s/files/1/0437/3685/8773/files/resujirajujumadetume.pdf
- https://cdn.shopify.com/s/files/1/0431/1384/0793/files/73503394932.pdf
- https://cdn.shopify.com/s/files/1/0431/7121/7572/files/15470333453.pdf
- https://cdn.shopify.com/s/files/1/0430/5872/5018/files/xijofe.pdf
- https://cdn.shopify.com/s/files/1/0431/6990/6854/files/ponuzedokumawukekar.pdf
- https://cdn.shopify.com/s/files/1/0434/4473/2065/files/98199852544.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off00007a83.bin` `fbf41e70e6696cd8199069af4c1e4b261aa871797a1b39eb10b2569178bc8832`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x7A83	5472 bytes
`font_01_sfnt_off00008d22.bin` `50832767763e0a4e7eaede613c2787f0fcd307cfc8584fd8a298cccebe0fd226`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x8D22	9828 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.