PDF malware analysis — malicious · 7db1e32aa5063b6a

MALICIOUS

PDF

49.9 KB Created: 2020-08-25 21:52:46 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)

MD5: bad04bec3e78e4184e58cacdd1700514 SHA-1: fcc8738d5868738f7467318a4fd35ad1f4aa6cf4 SHA-256: 7db1e32aa5063b6a93a317163c420a3ce8778b0db27fe71e48ae4036fc84a982

128 Risk Score

Malware Insights

MITRE ATT&CK

T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF contains a malicious redirector link pointing to ttraff.com, which is flagged as malicious. Additionally, it exhibits characteristics of a link farm, embedding numerous external PDF links, many hosted on cdn.shopify.com. The presence of a 'download button' heuristic suggests a lure to trick the user into clicking the malicious link. No scripts were extracted from this sample.

Heuristics 4

PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK

PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM

Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTON

Document contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://ttraff.com/pify?keyword=junior+accountant+notes+in+hindi+pdf
- http://files.peteraltschuler.com/uploads/1/3/1/4/131483254/linowatimew.pdf
- https://cdn.shopify.com/s/files/1/0436/1060/3677/files/kutur.pdf
- https://cdn.shopify.com/s/files/1/0433/6333/6350/files/49283528157.pdf
- https://cdn.shopify.com/s/files/1/0440/5189/0341/files/53434709349.pdf
- https://cdn.shopify.com/s/files/1/0434/4388/0093/files/baby_photo_apps.pdf
- https://cdn.shopify.com/s/files/1/0432/8256/3232/files/low_carb_diet_cookbook.pdf
- https://cdn.shopify.com/s/files/1/0429/1864/1830/files/lemukunofale.pdf
- https://cdn.shopify.com/s/files/1/0435/5083/4847/files/principles_of_catering_management.pdf
- https://cdn.shopify.com/s/files/1/0436/7951/4777/files/kefonijiziwazokanikonivaw.pdf
- https://cdn.shopify.com/s/files/1/0438/4011/0754/files/d_d_dungeon_master_guide.pdf
- https://cdn.shopify.com/s/files/1/0430/9535/9641/files/72797769393.pdf
- https://cdn.shopify.com/s/files/1/0435/2802/8312/files/vitipowojubujanesos.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 4

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off000057e9.bin` `541ae631f4c8a5d1a9616c33dcdae3ec2879b8c3533ffa61f784f33b9b123741`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x57E9	5200 bytes
`font_01_sfnt_off00006991.bin` `a5972068022f723d084225634da6847b1e4413aeb559534886ecaddcb8b2178b`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x6991	10392 bytes
`font_02_sfnt_off00008d5c.bin` `ebd2804bff382343e08f6a42dc45f69f4e794c08b23908ae60ba78ededae74b1`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x8D5C	16164 bytes
`font_03_sfnt_off0000a2b0.bin` `a91f48bd07aa2053d45681af5e2fecf78bff1786dfe9035bb0e40b1f8f038da1`	pdf-font-stream	PDF embedded font (sfnt) at offset 0xA2B0	6868 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.