PDF malware analysis — malicious · 475ca7f689ca43df

MALICIOUS

PDF

46.2 KB Created: 2020-08-31 22:29:07 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)

MD5: 136f5a6991f932607c51c7f69e071240 SHA-1: 980484c52dd49d02cf439160016abd8e1b19b2e7 SHA-256: 475ca7f689ca43dfc02dad96f3cdeaa2a0487f42c202a38d17c238524984972a

128 Risk Score

Malware Insights

MITRE ATT&CK

T1204.002 Malicious Link T1566.002 Spearphishing Attachment

The PDF contains a mass of external links, including a critical finding of a link to known malicious redirector infrastructure at 'https://ttraff.com/pify?keyword=airtel+app+tv+app'. The document body, though heavily obfuscated, contains references to 'Airtel app tv app' and a call-to-action phrase, suggesting a lure to trick the user into clicking the malicious link. The presence of numerous PDF links also indicates a potential link farm or SEO poisoning attempt.

Heuristics 4

PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK

PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM

Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTON

Document contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://ttraff.com/pify?keyword=airtel+app+tv+app
- https://static.usrfiles.com/ugd/57c819_666238974c26445199ee7ef73aca260d.pdf
- https://static.usrfiles.com/ugd/9d869b_b08a0a3360784effbc0da29f16cec6a1.pdf
- https://static.usrfiles.com/ugd/23b571_7d3b1748363342518c13d675a2235c05.pdf
- https://static.usrfiles.com/ugd/7603ae_add4c7561c5447d4bc0515851a0231be.pdf
- https://static.usrfiles.com/ugd/e4a001_1b7a995cab6d43bcb7467ecb785be1b5.pdf
- https://static.usrfiles.com/ugd/b8c837_89144cee0e56416bb73b154dfc3b7f77.pdf
- https://cdn.shopify.com/s/files/1/0440/5461/0070/files/periodic_table_of_elements_definition.pdf
- https://cdn.shopify.com/s/files/1/0435/3415/5928/files/wazipalubaxejafet.pdf
- https://cdn.shopify.com/s/files/1/0431/0342/0570/files/6592138536.pdf
- https://cdn.shopify.com/s/files/1/0430/8749/5321/files/journaux_algeriens_gratuit.pdf
- https://cdn.shopify.com/s/files/1/0429/2293/4435/files/55487264431.pdf
- https://cdn.shopify.com/s/files/1/0434/7058/6006/files/rexesurenopugalabobow.pdf
- https://cdn.shopify.com/s/files/1/0429/8548/8543/files/ziwukeledolufowimudeb.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 3

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off0000637d.bin` `8a7eb55dcf7c25e44487842ce12442b4971ff1955aecb38b698b9ff2b6abdcb7`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x637D	4684 bytes
`font_01_sfnt_off00007380.bin` `09a84bb314cb4824b98fb87ca2d5da7d082a788cc154fd98bd107e2ae9593d90`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x7380	10300 bytes
`font_02_sfnt_off00009709.bin` `e296a61d2d303e35be9e1a35631556663d2780498efa7e8f3867bf557f172fe6`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x9709	16164 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.