PDF malware analysis — malicious · 484b5d55d0ae3c60

MALICIOUS

PDF

54.9 KB Created: 2020-08-29 22:05:27 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)

MD5: 59186324626ec69ab76a4ef37ec90b1a SHA-1: 073b23a4e0f668c6b53ef1f442975ff809073b48 SHA-256: 484b5d55d0ae3c60d7053020c531d74ca5288ebe77e1bb8769a27032e80fcf00

120 Risk Score

Malware Insights

MITRE ATT&CK

T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF file was identified as malicious due to a critical heuristic firing for PDF_MALICIOUS_REDIRECTOR_LINK, indicating it points to known malicious infrastructure. Additionally, the PDF_SEO_LINK_FARM heuristic fired, revealing a mass of external PDF links, many hosted on cdn.shopify.com, suggesting an attempt to manipulate search engine results or distribute content through a seemingly legitimate platform. The primary malicious URL identified is https://ttraff.com/wix?keyword=subaru+wrx+sti+ra.

Heuristics 3

PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK

PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM

Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://ttraff.com/wix?keyword=subaru+wrx+sti+ra
- https://static.usrfiles.com/ugd/b8c837_94f15a7589ab442185a06ff5ac978955.pdf
- https://static.usrfiles.com/ugd/83e24f_cc398f6b3bf84743b052541a5201a090.pdf
- https://static.usrfiles.com/ugd/b8c837_0db1f00b79c2431a8e8f83ebf3afcfaa.pdf
- https://static.usrfiles.com/ugd/de65f7_7d9004f7768e448d8d073e0cd882da82.pdf
- https://cdn.shopify.com/s/files/1/0427/4031/8375/files/jinuwimazuvafagew.pdf
- https://cdn.shopify.com/s/files/1/0431/6423/7988/files/30_60_90_onboarding_plan_template.pdf
- https://cdn.shopify.com/s/files/1/0428/9835/8432/files/43778875991.pdf
- https://cdn.shopify.com/s/files/1/0431/7056/2209/files/namatudunajabejeguxufaf.pdf
- https://cdn.shopify.com/s/files/1/0428/0752/5542/files/60147863014.pdf
- https://cdn.shopify.com/s/files/1/0462/2893/0709/files/atmel_atmega168_datasheet.pdf
- https://cdn.shopify.com/s/files/1/0429/2398/3001/files/razoxowiwovijizizipodek.pdf
- https://cdn.shopify.com/s/files/1/0431/0728/7206/files/6452707171.pdf
- https://cdn.shopify.com/s/files/1/0448/3943/6449/files/85542787960.pdf
- https://cdn.shopify.com/s/files/1/0432/2790/6206/files/57735407311.pdf
- https://cdn.shopify.com/s/files/1/0430/6799/8362/files/35291882767.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 3

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off00008cc1.bin` `93fdafbc46ae6bca02664b2c6a865b0c6efe2ceff435ff207d6b61d7354ec6cb`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x8CC1	4600 bytes
`font_01_sfnt_off00009c7a.bin` `cab16fe5bdb484259417f3f3738cd2631833c9e71034df417301cf57b8944f5f`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x9C7A	10980 bytes
`font_02_sfnt_off0000c0d7.bin` `1158d95dac44631f497756703988ba3645251422e7ff0015d3fca430225e7c3e`	pdf-font-stream	PDF embedded font (sfnt) at offset 0xC0D7	4324 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.