PDF malware analysis — malicious · 3a4e6650374c6147

MALICIOUS

PDF

98.7 KB Created: 2020-08-14 23:40:12 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)

MD5: 7cd2b35e46661e8d98539849d43125d1 SHA-1: f4bb634e1dbfb4aa728f6171d1300c565c3b46e1 SHA-256: 3a4e6650374c6147d51c083edecb1c7e7cd4c1cc72ff68e9cf421ebb7a64907f

128 Risk Score

Malware Insights

MITRE ATT&CK

T1566.002 Spearphishing Attachment T1059.001 PowerShell T1204.002 Malicious Link

The PDF file contains a heuristic firing for a malicious redirector link, pointing to `https://ttraff.com/pify?keyword=form+14a+affidavit+word+template`. It also exhibits characteristics of a link farm, with numerous embedded links, many hosted on `cdn.shopify.com`. The document body, though partially corrupted, contains text related to 'form 14a affidavit word template' and the malicious URL, suggesting a lure to trick users into clicking the link. The primary attack pattern involves social engineering through a deceptive document, leading to a malicious redirector.

Heuristics 4

PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK

PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM

Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
Fake invoice / payment lure low SE_INVOICE_LURE

Document contains invoice or payment language paired with an action verb — useful context when combined with link, macro, or attachment indicators
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://ttraff.com/pify?keyword=form+14a+affidavit+word+template
- http://faseraj.medfordwindowcompany.com/uploads/1/3/2/8/132814930/zovesetane.pdf
- https://cdn.shopify.com/s/files/1/0433/8896/0933/files/lisez.pdf
- https://cdn.shopify.com/s/files/1/0434/3431/1845/files/rofugi.pdf
- https://cdn.shopify.com/s/files/1/0431/0410/8711/files/xusinaseduvefumawa.pdf
- https://cdn.shopify.com/s/files/1/0430/4214/4407/files/44732804153.pdf
- https://cdn.shopify.com/s/files/1/0435/5093/3155/files/economics_principles_in_action_teacher_edition.pdf
- https://cdn.shopify.com/s/files/1/0446/8791/7209/files/team_building_activities_for_employees.pdf
- https://cdn.shopify.com/s/files/1/0436/1525/6738/files/camscanner_license_creator_1._4_apk_cracked.pdf
- https://cdn.shopify.com/s/files/1/0431/3769/5906/files/68825545840.pdf
- https://cdn.shopify.com/s/files/1/0431/2412/9946/files/mipitefijuvapex.pdf
- https://cdn.shopify.com/s/files/1/0429/7401/9740/files/58204334327.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 3

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off00013c73.bin` `b44e6ce27ebf6e9f20f16283b08d74e1a279d6b8f777ee1e9936cc812f635420`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x13C73	4940 bytes
`font_01_sfnt_off00014d58.bin` `60c1ed679cf406fafb2922b8e110ae1c5f358df68b6be1a2e5a8c8f39cdd9357`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x14D58	10076 bytes
`font_02_sfnt_off00016fcf.bin` `4fcfa7c68d76e23b667942a3ac892d2d5d88346478daafc61479ad4df4af3dd3`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x16FCF	4324 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.