PDF malware analysis — malicious · 36896f80e176deac

MALICIOUS

PDF

49.8 KB Created: 2020-08-15 07:20:01 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)

MD5: 5cfe174905c1fe8ae0714650ef13bf65 SHA-1: 3948565ef02bc9ce9b10a52e3ed5ec95e5272e6d SHA-256: 36896f80e176deac8609d29f3a6c8aaadb90f9939d8a431128950777c9b1f9f6

120 Risk Score

Malware Insights

MITRE ATT&CK

T1566.002 Spearphishing Attachment T1204.001 Malicious Link T1059.001 PowerShell

The PDF file contains a heuristic firing indicating it links to known malicious redirector infrastructure. The document body, though heavily obfuscated, contains URLs that are part of a link farm, with the primary malicious URL being ttraff.cc. This suggests the document's purpose is to redirect users to potentially harmful content under the guise of offering a free font.

Heuristics 3

PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK

PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM

Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://ttraff.cc/pify?keyword=brush+script+std+free+font
- http://sutazim.mseverett.com/uploads/1/3/2/6/132680949/kajamefi_pumiju.pdf
- http://files.caldanpartners.com/uploads/1/3/0/7/130775413/7476729.pdf
- http://files.newreligioncurriculum.com/uploads/1/3/2/6/132695543/detijulutesikesegora.pdf
- https://cdn.shopify.com/s/files/1/0432/4245/5207/files/gmat_test_questions.pdf
- https://cdn.shopify.com/s/files/1/0432/7207/7475/files/11838359244.pdf
- https://cdn.shopify.com/s/files/1/0446/4757/9811/files/pajefawuruzosoki.pdf
- https://cdn.shopify.com/s/files/1/0435/9805/3535/files/39329755299.pdf
- https://cdn.shopify.com/s/files/1/0428/7945/1289/files/giruzaturipebepo.pdf
- https://cdn.shopify.com/s/files/1/0431/0240/4769/files/wogulisidusik.pdf
- https://cdn.shopify.com/s/files/1/0433/0687/7080/files/duzibuwusupamodugibeboz.pdf
- https://cdn.shopify.com/s/files/1/0431/1662/6082/files/vemudog.pdf
- https://cdn.shopify.com/s/files/1/0432/1918/9915/files/anaplastic_thyroid_carcinoma.pdf
- https://cdn.shopify.com/s/files/1/0430/9614/6073/files/26832820198.pdf
- https://cdn.shopify.com/s/files/1/0432/3491/8568/files/faxekogikefuwiraxeru.pdf
- https://cdn.shopify.com/s/files/1/0431/8475/0747/files/69145031512.pdf
- https://cdn.shopify.com/s/files/1/0429/3355/1260/files/45958841952.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 4

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off00005c35.bin` `df881f0d50bc4879c5c2c03511f6d9fb3391469e7a1484d701f40483abb39c48`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x5C35	4932 bytes
`font_01_sfnt_off00006cf3.bin` `e3522f91a8b28b3764c2f577a76fc380ee480c2c82c6ecec2e63ad69d39a5fde`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x6CF3	9768 bytes
`font_02_sfnt_off00008ea1.bin` `c2e3bad02472886579e779ac7f77640d53f02b4712a6e0c7f0b0991242c0d298`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x8EA1	18580 bytes
`font_03_sfnt_off0000abc6.bin` `d1f4a20f0e35a0564be54678b929bb8c711862c507f070c2b9a6abea8daf4378`	pdf-font-stream	PDF embedded font (sfnt) at offset 0xABC6	4324 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.