PDF malware analysis — malicious · 35b8ad2f83cee180

MALICIOUS

PDF

38.8 KB Created: 2020-08-18 21:42:02 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)

MD5: dde319cda885c85041b30eee3135055d SHA-1: d7cb31e901ebbd30aa8ffc0936fd5e8d62172331 SHA-256: 35b8ad2f83cee1804aed79580a7195b38cff82afa96eb3504a4b68fb1e6716e4

140 Risk Score

Malware Insights

MITRE ATT&CK

T1566.002 Spearphishing Attachment T1204.002 Malicious Link T1059.001 PowerShell

The PDF contains a lure related to an 'Android one oreo update mi a1' and includes a critical heuristic firing for a malicious redirector link to 'ttraff.com'. The document body also contains numerous embedded links, many pointing to Shopify domains, but the primary malicious link is to 'ttraff.com'. The presence of a link farm heuristic suggests an attempt to manipulate search engine results or distribute malicious content through a large number of links. The document body's content and the malicious redirector link strongly indicate a phishing or malware distribution attempt.

Heuristics 4

PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK

PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM

Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
Callback phishing phone lure medium SE_CALLBACK_LURE

Document asks the user to call a phone number in billing, refund, subscription, fraud, or security context — consistent with callback phishing or tech-support scam patterns
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://ttraff.com/pify?keyword=android+one+oreo+update+mi+a1
- http://files.lashthetics.shop/uploads/1/3/0/7/130776208/b1ca995dbe8de.pdf
- http://files.tritherapymt.com/uploads/1/3/1/4/131406592/muwigitadudoxed.pdf
- http://files.closeandpaschalauction.com/uploads/1/3/1/6/131607063/8792964.pdf
- https://cdn.shopify.com/s/files/1/0430/7881/1810/files/xotesijaxi.pdf
- https://cdn.shopify.com/s/files/1/0429/4659/2924/files/96833675640.pdf
- https://cdn.shopify.com/s/files/1/0438/2624/9885/files/tegivawudokosijavox.pdf
- https://cdn.shopify.com/s/files/1/0441/2473/3592/files/44802834434.pdf
- https://cdn.shopify.com/s/files/1/0438/4836/8288/files/97528204289.pdf
- https://cdn.shopify.com/s/files/1/0434/9270/4408/files/37771817626.pdf
- https://cdn.shopify.com/s/files/1/0431/0378/1015/files/30956230902.pdf
- https://cdn.shopify.com/s/files/1/0429/6350/1222/files/36713656924.pdf
- https://cdn.shopify.com/s/files/1/0427/9664/6556/files/jasuxuwudatezutadiguw.pdf
- https://cdn.shopify.com/s/files/1/0430/3765/5191/files/govulutoka.pdf
- https://cdn.shopify.com/s/files/1/0431/5181/8903/files/9753437533.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off00005be1.bin` `1a18404baad9597a22cd1918717b3a70d5461630f9fe2b03bc2d42ab52c8fc40`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x5BE1	4936 bytes
`font_01_sfnt_off00006c92.bin` `0164c501b5382561b024bedb637c3c6c72aca8a60933a9fdf5e76c4c3792e564`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x6C92	10020 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.