PDF malware analysis — malicious · 4f075424369c8256

MALICIOUS

PDF

54.7 KB Created: 2020-08-01 16:57:39 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)

MD5: 72c1406096ea770bf611175965217a8a SHA-1: 8716ed0aede0ba2f01854cb34d74ea4cfa89616b SHA-256: 4f075424369c825695979a89f72238f5f1bb12512afec17f910bd5e93a68d601

120 Risk Score

Malware Insights

MITRE ATT&CK

T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF contains a link farm and a direct link to a redirector disguised as a game download. The primary malicious URL is https://ttraff.com/pify?keyword=gta+liberty+city+stories+apk, which likely leads to further malicious content. The presence of numerous links to external PDFs, many hosted on Shopify, suggests a link farm used for SEO manipulation or distributing malicious payloads.

Heuristics 3

PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK

PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM

Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://ttraff.com/pify?keyword=gta+liberty+city+stories+apk
- http://files.4lawsfamily.com/uploads/1/3/0/8/130874588/xuguwukob_kotejipalabo.pdf
- http://files.916getfit.com/uploads/1/3/0/8/130874023/4015823.pdf
- http://files.onegirlmanyideas.com/uploads/1/3/1/3/131382387/7190167.pdf
- http://files.babydollsheepaustralia.com/uploads/1/3/0/9/130969097/94cff4b5789.pdf
- http://files.handwritingexplore.com/uploads/1/3/0/7/130740356/vameposokumu.pdf
- https://cdn.shopify.com/s/files/1/0434/1792/7837/files/56800074031.pdf
- https://cdn.shopify.com/s/files/1/0431/9179/5875/files/84910631221.pdf
- https://cdn.shopify.com/s/files/1/0432/9429/4171/files/bufotawom.pdf
- https://cdn.shopify.com/s/files/1/0430/7389/6602/files/57871121562.pdf
- https://cdn.shopify.com/s/files/1/0431/2432/6564/files/gupowojisilixog.pdf
- https://cdn.shopify.com/s/files/1/0429/9119/0167/files/84904333474.pdf
- https://cdn.shopify.com/s/files/1/0430/6662/2105/files/pilarefotojawo.pdf
- https://cdn.shopify.com/s/files/1/0429/7264/3491/files/46440677156.pdf
- https://cdn.shopify.com/s/files/1/0438/6711/1584/files/42143067190.pdf
- https://cdn.shopify.com/s/files/1/0435/9972/4702/files/nevabekabawuwozitizom.pdf
- https://cdn.shopify.com/s/files/1/0429/8450/5498/files/gibawujal.pdf
- https://cdn.shopify.com/s/files/1/0439/4686/8891/files/47294168315.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 3

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`stream_005_off0000a131.bin` `f15f466aa91eda0c74fc4706fd0068a522452e8488f1e8a346a67cffc21c1496`	decompressed-pdf-stream	PDF FlateDecoded stream at offset 0xA131	25172 bytes
`font_00_sfnt_off00006d14.bin` `c345954cc7bab5d88557c4e0b46a4c9cd8036f9ac97dd708dd2eb70db83ed46a`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x6D14	5264 bytes
`font_01_sfnt_off00007f14.bin` `9fd617449d3081f86cbeefadc561fba537572bda08ca4c138ea0f2f53506e531`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x7F14	9904 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.