PDF malware analysis — malicious · 551730818094d809

MALICIOUS

PDF

43.9 KB Created: 2020-09-04 09:58:39 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)

MD5: 91c8e62fb945c28cf2943a67b88db8b2 SHA-1: ccb7e70f2be375c0b85ea473bac7b0c8345ca4ba SHA-256: 551730818094d809541a5840ce805c34dabed422ced732beafc9e9f65b4c7086

120 Risk Score

Malware Insights

MITRE ATT&CK

T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF contains a large number of embedded links, many of which point to a redirector service. The document body text, though corrupted, contains a URL that appears to be a lure for a 'marketing intern resume template'. This suggests a phishing or social engineering attack. The primary malicious URL identified is https://ttraff.link/pify?keyword=marketing+intern+resume+template, which is linked to malicious redirector infrastructure.

Heuristics 3

PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK

PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM

Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://ttraff.link/pify?keyword=marketing+intern+resume+template
- https://cdn.shopify.com/s/files/1/0432/2151/6449/files/sheet_vinyl_flooring_pros_and_cons.pdf
- https://cdn.shopify.com/s/files/1/0431/1249/7313/files/63638327001.pdf
- https://cdn.shopify.com/s/files/1/0432/1191/5432/files/14882378185.pdf
- https://cdn.shopify.com/s/files/1/0428/4763/3575/files/daxuruxebobanokus.pdf
- https://cdn.shopify.com/s/files/1/0457/5277/8908/files/katipaterix.pdf
- https://static.usrfiles.com/ugd/6260fe_a5d4be9f85334f46a505bcb3f0a17c99.pdf
- https://static.usrfiles.com/ugd/b8c837_059c75bd1f784c759520fbf3d2df20cb.pdf
- https://static.usrfiles.com/ugd/9e41f0_67d14bd3895047c7bae2027352158bee.pdf
- https://static.usrfiles.com/ugd/9421c8_9422c4b163604a0994e5cbd327ba7a09.pdf
- https://static.usrfiles.com/ugd/6cfc61_c5018e281ec74934aa41950f786fd961.pdf
- https://static.usrfiles.com/ugd/e33828_71253d2552ce4b31a1ec3db2bfb64045.pdf
- https://static.usrfiles.com/ugd/b8c837_43940db074194fada2b71d292d73fb8a.pdf
- https://static.usrfiles.com/ugd/b8c837_2f6a4ec01ce2412d9d447d9b7fc740d1.pdf
- https://cdn.shopify.com/s/files/1/0429/1241/5911/files/free_printable_frozen_birthday_banner_template.pdf
- https://cdn.shopify.com/s/files/1/0464/3084/7128/files/linux_kernel_development_report_2018.pdf
- https://cdn.shopify.com/s/files/1/0434/4286/4294/files/82634426271.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 3

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off0000618b.bin` `1db4fa3c56070150d1df59e1d5dded8b50fc3b997b70a7f73b26a1063e045dee`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x618B	4980 bytes
`font_01_sfnt_off0000726c.bin` `a85a6097f775c9e30531d14d2f02934afd55f6ab3927eea68b0fcab9ea5078ec`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x726C	10016 bytes
`font_02_sfnt_off000094bf.bin` `0d0f64e27578eb124b8bc81c7eceacdd166e22eddd95c81328e9fbd7de2a6333`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x94BF	4324 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.