PDF malware analysis — malicious · 41c24f8f76a6e3d5

MALICIOUS

PDF

41.1 KB Created: 2020-08-12 22:27:04 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)

MD5: 42779f6c3e656180a812d9d8c54a227b SHA-1: 4afff06ef3137b481f5370b50f602231ca74f2c7 SHA-256: 41c24f8f76a6e3d547594482a110068c3a00c8108ccfc5b181a5feb636c867ed

120 Risk Score

Malware Insights

MITRE ATT&CK

T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF contains numerous embedded links, with one identified as a malicious redirector. The document body, though heavily obfuscated, contains text related to an 'inauguration worksheet' and the malicious URL. The presence of a link farm heuristic suggests an attempt to manipulate search engine results or distribute malicious content broadly. The primary malicious URL is https://ttraff.com/wb?keyword=turning%20points%20inauguration%20of%20washington%20worksheet.

Heuristics 3

PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK

PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM

Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://ttraff.com/wb?keyword=turning%20points%20inauguration%20of%20washington%20worksheet
- http://femapavav.maxnewmarkswildlife.com/uploads/1/3/0/7/130776716/fagis-guwudododu.pdf
- http://girujuze.gardenguildlakechapala.com/uploads/1/3/1/8/131856158/buxego-babaligijev.pdf
- http://files.my-living-benefits.com/uploads/1/3/1/3/131380008/3a6f73d179d.pdf
- https://cdn.shopify.com/s/files/1/0433/5511/1589/files/wufokutifobokuruf.pdf
- https://cdn.shopify.com/s/files/1/0435/6482/6783/files/application_as_a_teacher.pdf
- https://cdn.shopify.com/s/files/1/0430/9005/1221/files/pujez.pdf
- https://cdn.shopify.com/s/files/1/0431/9834/9471/files/ridedinuwix.pdf
- https://cdn.shopify.com/s/files/1/0435/1878/7743/files/dazivas.pdf
- https://cdn.shopify.com/s/files/1/0437/4790/1592/files/there_was_a_problem_starting_logilda._dll.pdf
- https://cdn.shopify.com/s/files/1/0435/0168/2843/files/breakthrough_advertising.pdf
- https://cdn.shopify.com/s/files/1/0429/3902/3526/files/murder_on_the_orient_express.pdf
- https://cdn.shopify.com/s/files/1/0432/4343/8242/files/50049983325.pdf
- https://cdn.shopify.com/s/files/1/0430/4227/5485/files/57711222629.pdf
- https://cdn.shopify.com/s/files/1/0437/9066/3832/files/attestation_employeur_action_logement.pdf
- https://cdn.shopify.com/s/files/1/0434/7900/7398/files/longest_palindromic_substring.pdf
- https://cdn.shopify.com/s/files/1/0431/0581/2629/files/guwulujawonimavakebizop.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off00006367.bin` `74c86166f05cee2ea7cf35596a81742d623e1561a1a1c445f0bd599e785c1144`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x6367	5236 bytes
`font_01_sfnt_off00007542.bin` `14fef30db847e5727d83e7049e9490006708ca111d8715af2313a02fdc7f7c28`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x7542	9904 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.