PDF malware analysis — malicious · 7f7428fa9cfb6d41

MALICIOUS

PDF

61.0 KB Created: 2020-08-09 17:40:55 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)

MD5: 6bc7767eb2705afb64af5abc5adfbaaf SHA-1: 0e55d130b9146c7f5d138b5f9e210f2e7e05e8e2 SHA-256: 7f7428fa9cfb6d41c6bc4ae352fc3898d10f8359d2d1ac7a12296e5b04afbdf9

120 Risk Score

Malware Insights

MITRE ATT&CK

T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF document contains a mass external link farm, with many links pointing to other PDF files hosted on various domains, including Shopify. The primary malicious link, 'https://ttraff.com/pify?keyword=aditya+hridaya+stotra+in+telugu+pdf+free+download', is identified as a known malicious redirector. This suggests the document is designed to drive traffic to malicious infrastructure under the guise of providing a free download.

Heuristics 3

PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK

PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM

Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://ttraff.com/pify?keyword=aditya+hridaya+stotra+in+telugu+pdf+free+download
- http://files.ornamentsofexpression.com/uploads/1/3/1/4/131455883/vojosa.pdf
- http://files.wildstringsandthings.com/uploads/1/3/1/3/131384145/gufusixugawabu.pdf
- http://vibirakaj.dreamchen.org/uploads/1/3/0/9/130969754/xipudabepufidevezufi.pdf
- http://files.beneath1000skies.com/uploads/1/3/0/9/130969800/zoborepaw-sapupivutidu-jupumorus.pdf
- http://files.aquieditions.com/uploads/1/3/0/9/130969225/nataxageja.pdf
- https://cdn.shopify.com/s/files/1/0438/1740/2530/files/gevidupuwo.pdf
- https://cdn.shopify.com/s/files/1/0433/8122/7672/files/setex.pdf
- https://cdn.shopify.com/s/files/1/0433/8358/6977/files/vagosesewepufix.pdf
- https://cdn.shopify.com/s/files/1/0431/1243/1770/files/80177222193.pdf
- https://cdn.shopify.com/s/files/1/0441/2289/8584/files/43753520573.pdf
- https://cdn.shopify.com/s/files/1/0431/1754/3588/files/mowokerinevoxudarewun.pdf
- https://cdn.shopify.com/s/files/1/0428/7738/6918/files/titogufenatitimibi.pdf
- https://cdn.shopify.com/s/files/1/0433/4711/6197/files/wisujep.pdf
- https://cdn.shopify.com/s/files/1/0434/5384/1560/files/79168610165.pdf
- https://cdn.shopify.com/s/files/1/0440/3943/8486/files/abebe_bikila_biography.pdf
- https://cdn.shopify.com/s/files/1/0428/9835/8432/files/96226605796.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 3

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off0000667f.bin` `f9130c7b7322c617d058c172909b1eaef56bd98d8f0f753f5aa5d7187d8f4582`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x667F	5484 bytes
`font_01_sfnt_off0000793b.bin` `cd0c11fa2a58d2802080e54467e3a7281a7b9ba052092a632b9d112b7c7142f3`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x793B	30004 bytes
`font_02_sfnt_off0000b973.bin` `c04e43d8956df4127589335425d940fd9fa8048d2f3304649f6bcb0129b5d21e`	pdf-font-stream	PDF embedded font (sfnt) at offset 0xB973	13724 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.