PDF malware analysis — malicious · 412fbc0b4b0661f5

MALICIOUS

PDF

120.9 KB Created: 2020-08-07 00:55:07 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)

MD5: 44a6f14207716eab004c303d272a3fb1 SHA-1: 10ba90d4990c33e4fdc8b2b0c76126a863e1fbc4 SHA-256: 412fbc0b4b0661f5a6ad223c664c3d07d5b1cfc5e9b6679e71bd90e7ea885b96

128 Risk Score

Malware Insights

MITRE ATT&CK

T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF contains embedded JavaScript and a critical heuristic firing indicates a malicious redirector link. The document body, though heavily obfuscated, contains the URL 'https://ttraff.com/pify?keyword=borsa+istanbul+nedir+pdf', which is identified as a malicious redirector. This suggests the PDF is designed to exploit users by directing them to malicious infrastructure, likely for phishing or malware distribution. The presence of numerous other Shopify links, while marked as benign, could be part of a broader SEO poisoning or link farm strategy to obscure the malicious destination.

Heuristics 4

PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK

PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM

Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
Embedded JS stream low PDF_JS

PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://ttraff.com/pify?keyword=borsa+istanbul+nedir+pdf
- http://files.centermentalhealth.com/uploads/1/3/1/4/131438474/8645956.pdf
- http://zikavuk.theworkplacehealthcoach.com/uploads/1/3/1/0/131070581/pewopemogudowilimoja.pdf
- http://files.designsbycarolann.com/uploads/1/3/0/8/130814513/ac27058e6e8.pdf
- https://cdn.shopify.com/s/files/1/0428/9835/8432/files/69296453687.pdf
- https://cdn.shopify.com/s/files/1/0429/1434/9215/files/nomofivoke.pdf
- https://cdn.shopify.com/s/files/1/0437/7437/8138/files/69412101401.pdf
- https://cdn.shopify.com/s/files/1/0431/3815/4650/files/22683864827.pdf
- https://cdn.shopify.com/s/files/1/0433/8168/6439/files/xigelijurovajew.pdf
- https://cdn.shopify.com/s/files/1/0434/5852/7397/files/felaju.pdf
- https://cdn.shopify.com/s/files/1/0434/3654/0069/files/xaxejizabefewewodiru.pdf
- https://cdn.shopify.com/s/files/1/0428/8852/8035/files/kaseso.pdf
- https://cdn.shopify.com/s/files/1/0437/9944/5664/files/arterine_hipertenzija.pdf
- https://cdn.shopify.com/s/files/1/0432/5995/3312/files/adjectives_to_describe_physical_appearance_and_personality.pdf
- https://cdn.shopify.com/s/files/1/0433/0792/5654/files/wisudekugiwumirusar.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off00019091.bin` `3e4f01d4cebf7434cb2b1e68cc8659d3d010f1bc9866160de025e4270f157be1`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x19091	5224 bytes
`font_01_sfnt_off0001a258.bin` `f7afebbce397c91c3a23e0b47a276dda08da66f35e0be9456cb240ccb846fca8`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x1A258	17460 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.