PDF malware analysis — malicious · 75fd50c5c961c705

MALICIOUS

PDF

40.0 KB Created: 2020-08-21 13:12:12 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)

MD5: 7ef7f1d0dbf61423efd7f8a4142d85d5 SHA-1: 43a8522e5f24a2e3d702b088c50de54cfe034b8d SHA-256: 75fd50c5c961c70592d3a495256d383c5d7166aabb43a4ebcfec829a45f0286a

160 Risk Score

Malware Insights

MITRE ATT&CK

T1566.002 Spearphishing Attachment T1204.002 User Execution: Malicious File T1059.001 PowerShell

The PDF contains a lure to install a browser extension or update, a common social-engineering tactic. It also hosts a large number of external PDF links, many pointing to benign content, but one critical link directs to a known malicious redirector at 'https://ttraff.cc/pify?keyword=arduino+programming+ide'. This suggests the document's primary purpose is to redirect users to malicious infrastructure, likely for further exploitation or credential theft.

Heuristics 4

PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK

PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM

Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
Browser extension / update installation lure high SE_BROWSER_INSTALL_LURE

Document tells the user to install a browser extension, plugin, viewer, or browser update to view content — a common social-engineering path for credential theft and malware installation
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://ttraff.cc/pify?keyword=arduino+programming+ide
- http://files.warungfalafelbali.com/uploads/1/3/0/7/130739119/jotijajonulalo_vasaxiso_nufubanevomezir_xilapoves.pdf
- http://files.psalmstre.net/uploads/1/3/0/8/130874250/0b73356.pdf
- https://cdn.shopify.com/s/files/1/0434/1248/8343/files/benim_hocam_tyt_matematik_soru_bankas.pdf
- https://cdn.shopify.com/s/files/1/0438/8667/4088/files/73602307466.pdf
- https://cdn.shopify.com/s/files/1/0465/0618/0758/files/weboxu.pdf
- https://cdn.shopify.com/s/files/1/0428/2816/9382/files/jixerelufegodadumin.pdf
- https://cdn.shopify.com/s/files/1/0429/5986/3961/files/jareguvukuzeji.pdf
- https://cdn.shopify.com/s/files/1/0440/1407/6069/files/48570828524.pdf
- https://cdn.shopify.com/s/files/1/0439/0453/2648/files/esl_speaking_board_games.pdf
- https://cdn.shopify.com/s/files/1/0433/0727/0297/files/pafuxemor.pdf
- https://cdn.shopify.com/s/files/1/0439/2399/6840/files/lavivewiwutadik.pdf
- https://cdn.shopify.com/s/files/1/0432/7692/7142/files/dafipuzane.pdf
- https://cdn.shopify.com/s/files/1/0428/9835/8432/files/rasebiv.pdf
- https://cdn.shopify.com/s/files/1/0431/1757/6354/files/armored_god_apk.pdf
- https://cdn.shopify.com/s/files/1/0428/9835/8432/files/13977314479.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off00005efd.bin` `6ae1a246471df75ba340e6bfcf08a481631efdd9984f9288805a21fdcd6efd71`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x5EFD	5060 bytes
`font_01_sfnt_off00007013.bin` `b9f87bc5945b517912eb53013482682f256875af98ee8b4645bdea29baff293f`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x7013	10420 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.