PDF malware analysis — malicious · 560593cd0ef7b31d

MALICIOUS

PDF

46.3 KB Created: 2020-08-21 05:53:33 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)

MD5: e7dd43cd2009e47826c0483acd704dde SHA-1: 1357c45856bc9304753989387866212c36f9c77f SHA-256: 560593cd0ef7b31dc757705c8ccfa348c9c346dd339df6bf45768ff24a06ad6e

130 Risk Score

Malware Insights

MITRE ATT&CK

T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF file contains a heuristic firing for a malicious redirector link, specifically pointing to 'ttraff.cc'. The document body, though heavily obfuscated, contains this URL and also references 'guidelines for british passport photos', suggesting a lure. The presence of numerous external PDF links, many hosted on Shopify, indicates a link farm strategy. The primary malicious IOC is the redirector URL, which is likely used to funnel victims to a further stage of the attack.

Heuristics 4

PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK

PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM

Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
Urgency / deadline lure low SE_URGENCY_LURE

Document contains urgency or deadline language ('account will be terminated', 'action required within 24 hours', etc.) — useful context, but low-signal without other findings
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://ttraff.cc/pify?keyword=guidelines+for+british+passport+photos
- http://jilefuxoj.choikingshan.com/uploads/1/3/0/9/130969723/supimekusodo-zemelasivorad-rigup.pdf
- http://files.sollysummersoccercamp.com/uploads/1/3/0/7/130739616/2273242e0f28fe.pdf
- https://cdn.shopify.com/s/files/1/0435/4198/7479/files/9257597648.pdf
- https://cdn.shopify.com/s/files/1/0428/5313/8591/files/lalej.pdf
- https://cdn.shopify.com/s/files/1/0434/6950/4662/files/barska_stolica_forma_ideale.pdf
- https://cdn.shopify.com/s/files/1/0437/2309/6216/files/sekaloxomoboralusevamiga.pdf
- https://cdn.shopify.com/s/files/1/0433/2149/1621/files/70424005932.pdf
- https://cdn.shopify.com/s/files/1/0430/6763/7922/files/63617208136.pdf
- https://cdn.shopify.com/s/files/1/0448/1892/3686/files/annabel_lee_allan_poe.pdf
- https://cdn.shopify.com/s/files/1/0431/4234/8949/files/93454632279.pdf
- https://cdn.shopify.com/s/files/1/0435/9480/9507/files/843204142.pdf
- https://cdn.shopify.com/s/files/1/0431/9900/4831/files/37985931556.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 3

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off0000669a.bin` `45121554b7935ea7cd90467f226e09304125c22086cb729c5a3bbaf42c4fc9e0`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x669A	5300 bytes
`font_01_sfnt_off0000787f.bin` `e9a5a1f6ed95b1e3669933bb00002ad32a1708c3e0b735191cad5e02368a6c7d`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x787F	1800 bytes
`font_02_sfnt_off0000810d.bin` `e0500607e6f8cab69f9f729f0b7b2bf3ef456366270314f413bf01627af0537c`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x810D	13352 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.