PDF malware analysis — malicious · 791fdf3ea320635a

MALICIOUS

PDF

41.2 KB Created: 2020-08-04 03:08:55 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)

MD5: f8eed1633f8281ad94a0a2732e6f53d4 SHA-1: 3525c472a46a63ee616407eec04b700f5f1e9e52 SHA-256: 791fdf3ea320635a32a32ec875635ac2b02ec3f6fa6154907427749cbfb88f02

128 Risk Score

Malware Insights

MITRE ATT&CK

T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF contains a mass external link farm, with a critical heuristic firing for a malicious redirector. The document body text and embedded URLs suggest a lure related to 'ctet july question paper 2020 pdf'. The primary malicious URL is ttraff.cc, which redirects to a benign-looking Shopify URL, likely as part of a multi-stage redirection chain to obscure the final malicious destination.

Heuristics 4

PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK

PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM

Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTON

Document contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://ttraff.cc/pify?keyword=ctet+july+question+paper+2020+pdf
- http://files.waiheelimu.org/uploads/1/3/1/6/131607174/nomuvawezilamaranu.pdf
- http://files.forestparkestateshoa.org/uploads/1/3/1/4/131437222/muzikubawosuvuzizi.pdf
- http://meluw.covrha.com/uploads/1/3/1/4/131438464/sugugo.pdf
- http://files.saintsandscholars.org/uploads/1/3/1/0/131070291/xisibibi.pdf
- https://cdn.shopify.com/s/files/1/0441/4016/7320/files/26324614998.pdf
- https://cdn.shopify.com/s/files/1/0428/8158/1223/files/57313948903.pdf
- https://cdn.shopify.com/s/files/1/0430/3552/5282/files/lunafaverorabux.pdf
- https://cdn.shopify.com/s/files/1/0437/8981/1861/files/nupasiserodaxegibu.pdf
- https://cdn.shopify.com/s/files/1/0430/0609/9605/files/34375057716.pdf
- https://cdn.shopify.com/s/files/1/0435/2468/5976/files/warowoboderelitufogupo.pdf
- https://cdn.shopify.com/s/files/1/0428/2286/0966/files/mokedologexigudogudaguw.pdf
- https://cdn.shopify.com/s/files/1/0433/2807/7992/files/radasibemi.pdf
- https://cdn.shopify.com/s/files/1/0430/9617/8845/files/1234052951.pdf
- https://cdn.shopify.com/s/files/1/0438/3067/3565/files/sabezabivuminis.pdf
- https://cdn.shopify.com/s/files/1/0432/5995/3312/files/ledoxif.pdf
- https://cdn.shopify.com/s/files/1/0432/0080/7070/files/wulug.pdf
- https://cdn.shopify.com/s/files/1/0434/6059/1776/files/23156060337.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off00006209.bin` `af98770ae28a4d45e7a63d7c76e78ecd32726f4a0263ed02ec926a5e9e60bde4`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x6209	5516 bytes
`font_01_sfnt_off000074e1.bin` `3e7ae5389aeb1e43b94dafd1da0b428288b1ebdd42ebf01df54d60c08b172270`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x74E1	10120 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.