PDF malware analysis — malicious · 535c0da4fe35e9d3

MALICIOUS

PDF

65.1 KB Created: 2020-08-07 01:24:07 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)

MD5: fedd9bb8bb82d96de35d3f4541764059 SHA-1: 5ee8d58800033c4976f3c9d196eed9dbda0c0855 SHA-256: 535c0da4fe35e9d39a2a7b9ea0b625de2543a4e37dafa4346c8e896a5b12d144

120 Risk Score

Malware Insights

MITRE ATT&CK

T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF contains a heuristic firing for a malicious redirector link, specifically pointing to 'https://ttraff.cc/pify?keyword=consonant+words+list+pdf'. This URL is presented within the document body, disguised as a benign resource. The PDF also contains a large number of external links, many hosted on Shopify, which is indicative of a link farm or SEO manipulation tactic to distribute malicious content. The primary intent appears to be redirecting the user to a malicious site.

Heuristics 3

PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK

PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM

Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://ttraff.cc/pify?keyword=consonant+words+list+pdf
- http://files.glitzync.com/uploads/1/3/0/7/130776712/dumuxupekimomex.pdf
- http://files.royaloverload.org/uploads/1/3/1/3/131380966/5833645.pdf
- http://wobelixi.hotepseminars.com/uploads/1/3/0/9/130969723/fabef.pdf
- http://files.nextstepnursery.com/uploads/1/3/0/7/130740530/3655515.pdf
- https://cdn.shopify.com/s/files/1/0434/1560/1314/files/5521205699.pdf
- https://cdn.shopify.com/s/files/1/0428/9835/8432/files/51982080438.pdf
- https://cdn.shopify.com/s/files/1/0431/4837/8280/files/bozetawuvamimimevu.pdf
- https://cdn.shopify.com/s/files/1/0432/8449/6550/files/wakevaxamosulipe.pdf
- https://cdn.shopify.com/s/files/1/0448/5152/7842/files/biology_sylvia_mader_11th_edition.pdf
- https://cdn.shopify.com/s/files/1/0434/1553/5774/files/jaburunized.pdf
- https://cdn.shopify.com/s/files/1/0432/3901/4562/files/dovevuvida.pdf
- https://cdn.shopify.com/s/files/1/0429/1634/8057/files/60142829223.pdf
- https://cdn.shopify.com/s/files/1/0435/4595/2408/files/modovevap.pdf
- https://cdn.shopify.com/s/files/1/0434/3611/4076/files/dofewopobetakoj.pdf
- https://cdn.shopify.com/s/files/1/0433/1533/1227/files/98541931323.pdf
- https://cdn.shopify.com/s/files/1/0431/8494/7357/files/romenavixokibeno.pdf
- https://cdn.shopify.com/s/files/1/0431/3274/7927/files/kufowiga.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 3

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off00008d2a.bin` `c420d930bf6ca8d567b1813565973fc95cfd9b9c0322ab8cc4cea1585c3760a0`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x8D2A	4820 bytes
`font_01_sfnt_off00009d9d.bin` `510c8378371a93c5d1248fcf575468336880e40d2058d16738f7d474fcb8b697`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x9D9D	27740 bytes
`font_02_sfnt_off0000e933.bin` `cd94ef65598b1866d0653cdd88243d989fd81359c0e770c2d3a4858f1c2f6d34`	pdf-font-stream	PDF embedded font (sfnt) at offset 0xE933	4324 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.