PDF malware analysis — malicious · 4d1213c88f9dba13

MALICIOUS

PDF

46.4 KB Created: 2020-08-15 17:23:59 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)

MD5: 3f28bc5d6ce4d016b16eb5eff953269f SHA-1: 3924e4e379b23f6e258663128508830ef3fb0df5 SHA-256: 4d1213c88f9dba138feed6e2bf20e4d574dbb3d03e3c72d42486500c40b6436c

128 Risk Score

Malware Insights

MITRE ATT&CK

T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF contains a malicious redirector link pointing to ttraff.com, which is flagged as malicious. The document body, though heavily obfuscated, contains text related to 'Zamzar pdf to jpg conversion tool' and a call-to-action phrase, suggesting a lure to trick users into clicking the malicious link. The presence of numerous embedded links, many pointing to Shopify, further supports a link farm or SEO poisoning tactic to distribute the malicious URL.

Heuristics 4

PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK

PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM

Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTON

Document contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://ttraff.com/wb?keyword=zamzar%20pdf%20to%20jpg%20conversion%20tool
- http://files.girlsstem.ca/uploads/1/3/2/7/132740362/6956714.pdf
- https://cdn.shopify.com/s/files/1/0431/7272/4900/files/wordly_wise_book_6_lesson_10.pdf
- https://cdn.shopify.com/s/files/1/0435/7813/0593/files/18033572702.pdf
- https://cdn.shopify.com/s/files/1/0430/2936/4885/files/causes_of_major_depression.pdf
- https://cdn.shopify.com/s/files/1/0430/8166/2628/files/56088264693.pdf
- https://cdn.shopify.com/s/files/1/0428/0611/6511/files/pavuluguv.pdf
- https://cdn.shopify.com/s/files/1/0431/0718/8898/files/bunamujamo.pdf
- https://cdn.shopify.com/s/files/1/0431/9494/1603/files/lapekuxosugodijipijegale.pdf
- https://cdn.shopify.com/s/files/1/0429/5265/5002/files/jutupez.pdf
- https://cdn.shopify.com/s/files/1/0431/6761/3087/files/37932197689.pdf
- https://cdn.shopify.com/s/files/1/0437/0956/3045/files/fet_biasing_techniques.pdf
- https://cdn.shopify.com/s/files/1/0430/8772/4704/files/rolofomogizezil.pdf
- https://cdn.shopify.com/s/files/1/0430/7111/1330/files/48834716736.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 3

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off0000618f.bin` `f383f7ff9fa3a6854c7c90b452313e32c9d260a745651be0ccf56759991b3b8a`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x618F	5616 bytes
`font_01_sfnt_off000074b2.bin` `cc837556d37c1cbac4e5d829dee8f48a08c2b93a2f65b2b32909263496e36c57`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x74B2	10184 bytes
`font_02_sfnt_off000097d3.bin` `f283a563ee48c68d0f210b91d059b93f2da97875a4894e08c15e1f8ed5b97a7d`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x97D3	16076 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.