PDF malware analysis — malicious · 3fa8083bfaae534e

MALICIOUS

PDF

48.6 KB Created: 2020-08-23 19:10:19 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)

MD5: 7133b064b83973e74abe624d04f62f1d SHA-1: 5b98f45dc4304efeb4aa6ab42867eb06a3697c22 SHA-256: 3fa8083bfaae534ecd6bcae75345ed719b84f704e154a8a9fd7bc080fb5b2735

120 Risk Score

Malware Insights

MITRE ATT&CK

T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF file contains a critical heuristic firing indicating it links to known malicious redirector infrastructure. The embedded URL `https://ttraff.cc/pify?keyword=lake+talquin+crappie+fishing+report+2019` is the primary indicator of this malicious redirection. The document also contains a large number of external PDF links, suggesting a link farm or SEO poisoning attempt, with many pointing to `cdn.shopify.com`.

Heuristics 3

PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK

PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM

Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://ttraff.cc/pify?keyword=lake+talquin+crappie+fishing+report+2019
- http://files.ericeckhouse.com/uploads/1/3/1/4/131437149/pelotedanosuge.pdf
- http://files.thebeatlestour.net/uploads/1/3/1/4/131405956/828472.pdf
- http://files.priestfamilyfarm.com/uploads/1/3/1/3/131398143/miwus_rebujapakasavo_tajoru_wefibe.pdf
- http://files.priestfamilyfarm.com/uploads/1
- https://cdn.shopify.com/s/files/1/0432/1837/0728/files/64056158202.pdf
- https://cdn.shopify.com/s/files/1/0431/8851/9080/files/kolutux.pdf
- https://cdn.shopify.com/s/files/1/0432/5107/3174/files/kesadovafegapos.pdf
- https://cdn.shopify.com/s/files/1/0440/4533/6741/files/fatufalubobutikipi.pdf
- https://cdn.shopify.com/s/files/1/0434/1818/9980/files/kavuvobob.pdf
- https://cdn.shopify.com/s/files/1/0434/1760/0157/files/pugefaxizakupex.pdf
- https://cdn.shopify.com/s/files/1/0433/0687/7080/files/45251784546.pdf
- https://cdn.shopify.com/s/files/1/0438/9866/7163/files/adp_workforce_now_direct_deposit_form.pdf
- https://cdn.shopify.com/s/files/1/0436/5392/2969/files/bengali_album_song_webmusic._in.pdf
- https://cdn.shopify.com/s/files/1/0428/9835/8432/files/37237973095.pdf
- https://cdn.shopify.com/s/files/1/0433/8001/5271/files/naveb.pdf
- https://cdn.shopify.com/s/files/1/0438/0036/3169/files/143266179.pdf
- https://cdn.shopify.com/s/files/1/0433/0687/7080/files/89573664631.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 3

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off00006a09.bin` `f1a4612622a7ef0aa8f031902cda51a69968a149980d91d572c84fd20fda7f42`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x6A09	5888 bytes
`font_01_sfnt_off00007e17.bin` `9f2e00b318d11fc09127c08a9ca600912086d1b252163e8d6af51de94ff47045`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x7E17	9780 bytes
`font_02_sfnt_off00009fbb.bin` `39b2f4b99ee08965fd4836f89f628a00cde8346cb181131bba0308e80db8fb67`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x9FBB	16092 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.