PDF malware analysis — malicious · 7e908a8406501f2a

MALICIOUS

PDF

46.6 KB Created: 2020-08-19 22:33:39 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)

MD5: 8a039c2e740a4f69f3e84886c6e21e3a SHA-1: d4a2a18bdc1191068f3093f9594f9b06328854bc SHA-256: 7e908a8406501f2af4a2ca11e3840555113bb5b7e49b63206840b5e63ac246fc

120 Risk Score

Malware Insights

MITRE ATT&CK

T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF contains a heuristic firing for a malicious redirector link, specifically pointing to 'https://ttraff.cc/pify?keyword=bedsheet+ke+design+dikhaye'. The document body, though partially corrupted, contains text related to 'bedsheet ke design' and the malicious URL, suggesting a lure to disguise the malicious intent. The presence of numerous embedded links, many hosted on cdn.shopify.com but also including other unknown domains, indicates a link farm strategy, likely to obscure the ultimate destination or to spread malicious content across multiple sites. No scripts were extracted from this sample.

Heuristics 3

PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK

PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM

Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://ttraff.cc/pify?keyword=bedsheet+ke+design+dikhaye
- http://files.sskalski.com/uploads/1/3/1/3/131380126/satobemomopanefifivu.pdf
- http://files.dopekonect.net/uploads/1/3/0/7/130775413/79c9b42c08a.pdf
- http://rijinet.shadesbyshanni.com/uploads/1/3/1/0/131070786/lezogeri.pdf
- http://files.letspaintarabic.com/uploads/1/3/1/3/131379612/22ab9b14a11.pdf
- https://cdn.shopify.com/s/files/1/0430/8421/8532/files/gevisowug.pdf
- https://cdn.shopify.com/s/files/1/0432/7663/2214/files/taxegunubigupiwizumuga.pdf
- https://cdn.shopify.com/s/files/1/0431/9900/4827/files/sejaxisuzozixu.pdf
- https://cdn.shopify.com/s/files/1/0440/2325/1094/files/ecco_hot_tubs_manual.pdf
- https://cdn.shopify.com/s/files/1/0433/6022/3397/files/pathophysiology_of_peptic_ulcer_disease.pdf
- https://cdn.shopify.com/s/files/1/0436/6660/4182/files/apprendre_chinois.pdf
- https://cdn.shopify.com/s/files/1/0452/7154/8066/files/54857943997.pdf
- https://cdn.shopify.com/s/files/1/0430/6596/6754/files/86624807003.pdf
- https://cdn.shopify.com/s/files/1/0432/1925/5456/files/zebetozixi.pdf
- https://cdn.shopify.com/s/files/1/0434/8831/3506/files/59054807838.pdf
- https://cdn.shopify.com/s/files/1/0428/9835/8432/files/42479515564.pdf
- https://cdn.shopify.com/s/files/1/0428/2315/5878/files/95271973229.pdf
- https://cdn.shopify.com/s/files/1/0433/0687/7080/files/94608223162.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off00006ded.bin` `f1028d40954ef036476b6df74c3a3d4d1cb5c5882318c0b54228ff5ae5221f49`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x6DED	5172 bytes
`font_01_sfnt_off00007f8b.bin` `cda8fd1a32040487c3561b276db2977f82dfb39f1c265d9098c948e4a8c78d66`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x7F8B	15052 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.