PDF malware analysis — malicious · 580053806cf7c6ed

MALICIOUS

PDF

36.6 KB Created: 2020-08-04 02:47:13 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)

MD5: 42bf4e8bdb574c61b9a64262b57e8b51 SHA-1: f651ee8998c98712a8b287192eb0e68a87aea3d7 SHA-256: 580053806cf7c6ed55816379a1ce504e56636d80352c0314aec71fff549af5b7

120 Risk Score

Malware Insights

MITRE ATT&CK

T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF file contains a significant number of embedded URLs, with a critical heuristic firing indicating it links to known malicious redirector infrastructure. The primary malicious URL identified is 'https://ttraff.com/pify?keyword=cahier+alter+ego+3+pdf'. While many other URLs point to Shopify, the presence of the redirector strongly suggests a malicious intent, likely to lead users to a phishing or malware distribution site. No scripts were extracted, and the document body was heavily obfuscated.

Heuristics 3

PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK

PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM

Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://ttraff.com/pify?keyword=cahier+alter+ego+3+pdf
- http://files.gftrails.ca/uploads/1/3/1/3/131384301/besawiretixazotan.pdf
- http://kabef.eatgreennutrition.com/uploads/1/3/1/6/131637240/pepumolu-lexivi-bozebikoruwoba.pdf
- http://files.pdoapparel.com/uploads/1/3/1/4/131407012/639d9c9.pdf
- http://files.stmichaelskalida.org/uploads/1/3/1/4/131452858/0ecb1.pdf
- https://cdn.shopify.com/s/files/1/0429/8535/7463/files/nier_automata_mods.pdf
- https://cdn.shopify.com/s/files/1/0428/6801/5260/files/77398823701.pdf
- https://cdn.shopify.com/s/files/1/0431/5276/9192/files/32561220355.pdf
- https://cdn.shopify.com/s/files/1/0435/1901/7124/files/schauer_battery_charger_manual.pdf
- https://cdn.shopify.com/s/files/1/0432/7519/0430/files/duwosuzuvanag.pdf
- https://cdn.shopify.com/s/files/1/0434/5564/3813/files/mevofonitodavoluforebi.pdf
- https://cdn.shopify.com/s/files/1/0437/4121/6917/files/87639124551.pdf
- https://cdn.shopify.com/s/files/1/0430/2936/4889/files/att_virus_protection.pdf
- https://cdn.shopify.com/s/files/1/0428/9835/8432/files/pujofupokutesigitugut.pdf
- https://cdn.shopify.com/s/files/1/0434/5767/5431/files/kundalini_awakening_process.pdf
- https://cdn.shopify.com/s/files/1/0440/6162/2437/files/zutukija.pdf
- https://cdn.shopify.com/s/files/1/0428/9419/6902/files/zoguravusaninixu.pdf
- https://cdn.shopify.com/s/files/1/0428/5802/1027/files/42600356146.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off00004e6a.bin` `a0a1f2a5cc1bfdf21ea435cf25d2df1380d291fff7fff6b0f30627548bc09521`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x4E6A	5196 bytes
`font_01_sfnt_off00006011.bin` `b030e1ce8b161473d04c7cd635a58b45d97795701d1eb9445df2ad7163a97c9b`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x6011	11380 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.