PDF malware analysis — malicious · 489a3ffe80366906

MALICIOUS

PDF

42.4 KB Created: 2020-08-30 07:07:11 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)

MD5: 88e91bab06e2d542ddbb7952dd053a4d SHA-1: 2b3bf826461770b3e0f06c7fbfe54e944327c365 SHA-256: 489a3ffe803669065af09efdcecf979e638ba4ceefa5f15dfcfac4c183e19718

120 Risk Score

Malware Insights

MITRE ATT&CK

T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF file contains numerous links, with one critical heuristic identifying a link to a known malicious redirector at 'https://ttraff.com/wix?keyword=the+dhandho+investor+audiobook'. Another heuristic indicates a large number of external PDF links, suggesting a link farm. The document body, though heavily obfuscated, contains references to the redirector URL and other benign-looking PDF files hosted on Shopify, likely to lend credibility to the lure. The primary intent appears to be redirecting the user to malicious infrastructure.

Heuristics 3

PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK

PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM

Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://ttraff.com/wix?keyword=the+dhandho+investor+audiobook
- https://cdn.shopify.com/s/files/1/0465/0257/6286/files/wow_haft_of_the_god_king.pdf
- https://cdn.shopify.com/s/files/1/0431/3242/0250/files/42387680114.pdf
- https://cdn.shopify.com/s/files/1/0432/1188/2659/files/30564060237.pdf
- https://cdn.shopify.com/s/files/1/0430/9365/5716/files/game_of_thrones_tpb.pdf
- https://static.usrfiles.com/ugd/b8c837_8d82077ae4b04b6c9db8b1b80dbb3915.pdf
- https://static.usrfiles.com/ugd/eed56f_abb6b72af57346c49245c445a1f4c37b.pdf
- https://static.usrfiles.com/ugd/5ed537_3289937a642044d6a03405ad8523ebdc.pdf
- https://static.usrfiles.com/ugd/b8c837_00bf31859a2740a7a9d4beeebe6c319d.pdf
- https://static.usrfiles.com/ugd/accd1f_094ec67ab6a948d4a5f4fbbc18d08e0b.pdf
- https://static.usrfiles.com/ugd/3bca44_cfc5e281d53e40b0b78a45102a5c221f.pdf
- https://static.usrfiles.com/ugd/affb4a_70aa3448dfb74841a67af05bbc7e65c7.pdf
- https://static.usrfiles.com/ugd/b910ae_62a32ac6e0b74ec3abb8e89957776022.pdf
- https://static.usrfiles.com/ugd/067ecb_0b7b064ef9474622a59ca5a142b2c694.pdf
- https://cdn.shopify.com/s/files/1/0433/3817/0526/files/2010_kawasaki_brute_force_750_performance_mods.pdf
- https://cdn.shopify.com/s/files/1/0431/6902/2109/files/aesthetic_photo_editor_apk.pdf
- https://cdn.shopify.com/s/files/1/0430/5833/1799/files/33546246070.pdf
- https://cdn.shopify.com/s/files/1/0431/2317/9677/files/xazatepajaka.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off000068f0.bin` `f291d35cfe182dac23c6d69e57af171eedf804454d841f1fae09f2dcd2969b3f`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x68F0	5096 bytes
`font_01_sfnt_off00007a37.bin` `f7eb2c993845caf8ad71b2fa1b326f39a477a8a44006a0d2f299f982d98814fe`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x7A37	10096 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.