PDF malware analysis — malicious · 4113b6bdd65ca07c

MALICIOUS

PDF

45.9 KB Created: 2020-08-02 20:11:50 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)

MD5: 7c5cee102393771c9aef1dec52c93a72 SHA-1: 824298a26dc2fc8db78fbe7e10430ed59a005ecb SHA-256: 4113b6bdd65ca07c963f49b0210c80be6d79de9f2f9de0e49b95e64cda44c77d

120 Risk Score

Malware Insights

MITRE ATT&CK

T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF document contains a lure for a W-9 form, which is a common tactic for phishing campaigns. It embeds numerous links, including a critical redirector link to 'https://ttraff.cc/pify?keyword=w+9+for+non+profit', indicating an attempt to direct users to malicious infrastructure. The presence of a large number of external PDF links also suggests a link farm for SEO poisoning or traffic generation.

Heuristics 3

PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK

PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM

Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://ttraff.cc/pify?keyword=w+9+for+non+profit
- http://files.megacandyimporters.com/uploads/1/3/2/6/132681352/vikexubibunuj.pdf
- http://files.lovinahouse.com/uploads/1/3/0/8/130814754/8287930.pdf
- http://files.editmythesis.com.au/uploads/1/3/0/7/130740625/9427137.pdf
- http://files.threesisterstravel.com/uploads/1/3/1/3/131380058/d198c.pdf
- http://files.centralcoastinclusiveschools.org/uploads/1/3/1/6/131606630/424639a8e4.pdf
- https://cdn.shopify.com/s/files/1/0431/2177/0656/files/bebovumoka.pdf
- https://cdn.shopify.com/s/files/1/0438/1717/3149/files/10418877200.pdf
- https://cdn.shopify.com/s/files/1/0429/6137/1290/files/gazoravovota.pdf
- https://cdn.shopify.com/s/files/1/0433/4298/7422/files/24516928385.pdf
- https://cdn.shopify.com/s/files/1/0428/5677/5839/files/ribol.pdf
- https://cdn.shopify.com/s/files/1/0431/0702/5056/files/lizoboxuguwala.pdf
- https://cdn.shopify.com/s/files/1/0428/9763/7535/files/8785773768.pdf
- https://cdn.shopify.com/s/files/1/0431/8117/9037/files/23207134664.pdf
- https://cdn.shopify.com/s/files/1/0441/1555/8552/files/39227956928.pdf
- https://cdn.shopify.com/s/files/1/0427/5650/5756/files/pibokesoworuburilag.pdf
- https://cdn.shopify.com/s/files/1/0430/0839/3369/files/xaligifewut.pdf
- https://cdn.shopify.com/s/files/1/0429/8512/8090/files/fewugemad.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 3

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off00006242.bin` `a9b0ae56af696e6f6d113f931df1277e30a915449bcb99543c35eeca270164c9`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x6242	4644 bytes
`font_01_sfnt_off00007235.bin` `583c8e917e78e2c83b5fc21f8d6310c797b538d737003cfe64ab44caec5bbe93`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x7235	10288 bytes
`font_02_sfnt_off0000957e.bin` `df8916dc0488248139c8b7f8575cdad52201066875df9eb3f38f8be7ce625b0f`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x957E	16076 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.