PDF malware analysis — malicious · 760099fa9da43bcd

MALICIOUS

PDF

50.9 KB Created: 2020-08-13 09:33:49 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)

MD5: 5f6d1480032dc570fc88c31c5c852c91 SHA-1: ba78db11f589c91a801a1f3e9c504504c4393691 SHA-256: 760099fa9da43bcdac863b6d37640ec919335ded4ff296b4364ff221bdf2dc3b

120 Risk Score

Malware Insights

MITRE ATT&CK

T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF contains a heuristic firing for a malicious redirector link, pointing to 'ttraff.cc'. The document body also contains the same URL, presented as a lure for a 'wordly wise 3000 book 8 lesson 13 answer key pdf'. This suggests a phishing or scam attempt where the user is tricked into clicking the link. The PDF also contains a link farm heuristic, indicating a large number of external PDF links, many hosted on Shopify, which is a common tactic for distributing malicious documents.

Heuristics 3

PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK

PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM

Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://ttraff.cc/pify?keyword=wordly+wise+3000+book+8+lesson+13+answer+key+pdf
- http://files.clubedouroxtreme.com/uploads/1/3/2/7/132712407/kiwov-solup-lopupiva.pdf
- http://files.southtownscatholic.org/uploads/1/3/1/6/131636990/3996155.pdf
- http://lelebaru.americanabytheseashore.com/uploads/1/3/0/8/130813528/3578804.pdf
- http://files.stlvacancy.com/uploads/1/3/1/8/131856380/6667462.pdf
- https://cdn.shopify.com/s/files/1/0433/2358/8773/files/xiwuruz.pdf
- https://cdn.shopify.com/s/files/1/0432/5107/3174/files/32688703173.pdf
- https://cdn.shopify.com/s/files/1/0430/8336/6551/files/bicycle_shop_business_plan.pdf
- https://cdn.shopify.com/s/files/1/0436/2698/7680/files/kigesedejovemowul.pdf
- https://cdn.shopify.com/s/files/1/0436/9360/5014/files/jedazamasimivanemugetolop.pdf
- https://cdn.shopify.com/s/files/1/0433/6487/6453/files/44293937976.pdf
- https://cdn.shopify.com/s/files/1/0433/9885/6867/files/likavaziniximosukafi.pdf
- https://cdn.shopify.com/s/files/1/0433/3672/8726/files/gapusafi.pdf
- https://cdn.shopify.com/s/files/1/0429/2830/8387/files/most_common_behavioral_interview_questions_and_answers.pdf
- https://cdn.shopify.com/s/files/1/0431/0014/3777/files/notalomamugar.pdf
- https://cdn.shopify.com/s/files/1/0437/6789/0069/files/guwamawutoverumonizugi.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 3

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off000067d5.bin` `874901e2cf8bd134072749e0b5e13fe6b2a49503253248ceb4a8036cb6aed39d`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x67D5	6996 bytes
`font_01_sfnt_off00007fa1.bin` `6d4fa76f96277f2eadd897001437a3ad4fffd13653cb2594ad61a4e4772a1786`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x7FA1	5996 bytes
`font_02_sfnt_off0000943d.bin` `f88fc7cc0cf7886c40b4c76bf9d95a1b790edca7451c1db2702a6ce359d15bcf`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x943D	12728 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.