PDF malware analysis — malicious · 3f060d5b28c4177c

MALICIOUS

PDF

53.2 KB Created: 2020-09-02 00:38:00 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)

MD5: 7af7169b398c50266c566195866bf1c5 SHA-1: d6dc1e8ef2daee279fe14cc83d8ec6a83a01ff00 SHA-256: 3f060d5b28c4177cbe49e811c81898d793cc57eb16e3757cca93c7bad9461ddf

128 Risk Score

Malware Insights

MITRE ATT&CK

T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF contains a critical heuristic firing for a malicious redirector link pointing to ttraff.com. Additionally, it exhibits characteristics of a link farm, with numerous embedded URLs, many pointing to Shopify. The document body, though heavily obfuscated, contains text related to 'tutuapp ios 11.4.1' and a URL that matches the malicious redirector. The presence of a 'download button' heuristic further supports the lure-based attack pattern.

Heuristics 4

PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK

PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM

Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTON

Document contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://ttraff.com/wix?keyword=tutuapp+ios+11.+4.+1
- https://cdn.shopify.com/s/files/1/0431/6132/1634/files/74802135935.pdf
- https://cdn.shopify.com/s/files/1/0431/6299/2795/files/46798575863.pdf
- https://cdn.shopify.com/s/files/1/0439/2170/3067/files/50426330143.pdf
- https://cdn.shopify.com/s/files/1/0434/8595/4208/files/8106773754.pdf
- https://cdn.shopify.com/s/files/1/0432/0670/5311/files/99789991.pdf
- https://cdn.shopify.com/s/files/1/0434/0822/8508/files/what_did_the_dormouse_say.pdf
- https://cdn.shopify.com/s/files/1/0459/7311/0951/files/antebellum_america_study_guide.pdf
- https://cdn.shopify.com/s/files/1/0432/5202/3458/files/tabivopi.pdf
- https://cdn.shopify.com/s/files/1/0431/7016/8986/files/22994982391.pdf
- https://cdn.shopify.com/s/files/1/0430/2045/1997/files/bulisatejid.pdf
- https://cdn.shopify.com/s/files/1/0430/8582/4154/files/molorev.pdf
- https://static.usrfiles.com/ugd/0a593f_ba79e624f2e24a5cba37b676d2f45ec7.pdf
- https://static.usrfiles.com/ugd/d9d1f5_860d933ee438401f8d8845e69c6b883a.pdf
- https://static.usrfiles.com/ugd/0cd3a8_72d8014f8e23400a9c9360f4f5bf5027.pdf
- https://static.usrfiles.com/ugd/e3834b_d294dafc62f841dc967c4db4aeb388f9.pdf
- https://static.usrfiles.com/ugd/7603ae_a9014e03b1cb4e75bfe7002387ceefd3.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off00008648.bin` `99aeaca9db50ee2aa820fd2fa7fb1fb001327f0acea44554b04930fe23e555b2`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x8648	4808 bytes
`font_01_sfnt_off000096c4.bin` `d538215f3a9305e731fc051653cf35909fb3bcb012d116155230aa7542ccca3d`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x96C4	17112 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.