PDF malware analysis — malicious · 42cbfcf7b00cce5e

MALICIOUS

PDF

45.3 KB Created: 2020-08-19 12:50:53 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)

MD5: 3bbf3fa7d808bc831b1668ddb9755e2e SHA-1: 332b51061e71c57dc7fb8fa1e06533cfff1c5e49 SHA-256: 42cbfcf7b00cce5e635a4d8d74fbb7fce9b3e19a00c095d9540f136c5e813623

120 Risk Score

Malware Insights

MITRE ATT&CK

T1566.002 Spearphishing Attachment T1059.001 PowerShell T1204.002 Malicious Link

The PDF file contains a mass of external links, many hosted on Shopify, designed to appear as legitimate content. One prominent link, 'https://ttraff.com/pify?keyword=new+web+series+on+netflix+free', redirects to malicious infrastructure. This indicates a link-farming or redirection attack, likely intended to lead users to phishing or malware distribution sites. No scripts were extracted, but the PDF structure and link farm heuristic strongly suggest a malicious intent.

Heuristics 3

PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK

PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM

Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://ttraff.com/pify?keyword=new+web+series+on+netflix+free
- http://zisedit.paulmetcalf.net/uploads/1/3/1/4/131482995/2240211.pdf
- http://files.eliteladiesfashion.co.uk/uploads/1/3/2/6/132682070/dilonodemale.pdf
- http://neganevo.appleseedsquares.com/uploads/1/3/1/4/131482975/gigasofekuten_faven_vijalade.pdf
- http://files.weansweredthecallfilm.com/uploads/1/3/0/7/130776655/c0a5802.pdf
- http://ramimuved.wichitawoolery.com/uploads/1/3/1/4/131454065/e898442abc699c.pdf
- https://cdn.shopify.com/s/files/1/0439/9444/8030/files/wulapawewidi.pdf
- https://cdn.shopify.com/s/files/1/0429/8765/1235/files/goduxebotakukefoguxota.pdf
- https://cdn.shopify.com/s/files/1/0432/7954/8580/files/zurapuvobabebipite.pdf
- https://cdn.shopify.com/s/files/1/0428/8105/6935/files/21146167704.pdf
- https://cdn.shopify.com/s/files/1/0427/5775/0951/files/lipulozobilijubid.pdf
- https://cdn.shopify.com/s/files/1/0433/7149/5589/files/create_your_personal_travel_guide.pdf
- https://cdn.shopify.com/s/files/1/0432/9403/2025/files/20307815726.pdf
- https://cdn.shopify.com/s/files/1/0432/7692/7142/files/wegivigena.pdf
- https://cdn.shopify.com/s/files/1/0431/8960/0414/files/leladevosogowox.pdf
- https://cdn.shopify.com/s/files/1/0430/8749/5321/files/gudaxuwoto.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 3

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off00006790.bin` `69a49f65cfb311342cd45ced7c3d2bf0753cfcde34c43a8abeeebe8107828f84`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x6790	4608 bytes
`font_01_sfnt_off00007751.bin` `b565dd3a1826d2b7c084e3a9612f84c53c032f9f6f856ec53fc3d96a21a2b1e1`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x7751	10224 bytes
`font_02_sfnt_off00009a41.bin` `1158d95dac44631f497756703988ba3645251422e7ff0015d3fca430225e7c3e`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x9A41	4324 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.