PDF malware analysis — malicious · 815eedafef3d39b7

MALICIOUS

PDF

41.9 KB Created: 2020-09-01 00:42:41 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)

MD5: 4b5739962c9d446a4de59a0e4dc14119 SHA-1: c3b8f242afc5406ffb5948bc2fbd40d4f160ace7 SHA-256: 815eedafef3d39b7d67f94b5c53f06b2a1f4ad2f7161831c80fff5e3d6c559f3

120 Risk Score

Malware Insights

MITRE ATT&CK

T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF file contains a significant number of embedded links, many of which point to external PDF files hosted on Shopify. One critical heuristic identified a link to a known malicious redirector, ttraff.cc, which is likely used to obscure the final destination or deliver a malicious payload. The document body appears to be malformed or corrupted, but the presence of the redirector URL and the link farm strongly suggests a malicious intent, possibly for SEO manipulation or to lure users to malicious sites.

Heuristics 3

PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK

PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM

Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://ttraff.cc/pify?keyword=guntersville+fishing+report+june+2019
- https://cdn.shopify.com/s/files/1/0428/8852/8035/files/biology_stephen_nowicki.pdf
- https://cdn.shopify.com/s/files/1/0428/6034/7551/files/betty_s_burgers_nutritional_information.pdf
- https://cdn.shopify.com/s/files/1/0434/6570/3590/files/14849357519.pdf
- https://cdn.shopify.com/s/files/1/0433/6893/9672/files/fesutivazowuragesasex.pdf
- https://cdn.shopify.com/s/files/1/0429/8260/4963/files/74558566154.pdf
- https://cdn.shopify.com/s/files/1/0431/6731/8167/files/medical_laboratory_quality_manual.pdf
- https://cdn.shopify.com/s/files/1/0436/2059/7923/files/advanced_javascript_tutorial_with_examples.pdf
- https://cdn.shopify.com/s/files/1/0440/7109/2376/files/kuvozusujibas.pdf
- https://cdn.shopify.com/s/files/1/0431/9540/0356/files/10433066596.pdf
- https://static.usrfiles.com/ugd/d9d1f5_75853931a081441985fa2150819156fc.pdf
- https://static.usrfiles.com/ugd/2e4eb4_49dddea2699546edbff9978af83b3e2f.pdf
- https://static.usrfiles.com/ugd/b8c837_6371cab9a18e4de4afbad73d6b44d57c.pdf
- https://static.usrfiles.com/ugd/c8a981_08a76708250d4e06a9fbdfb11eeed65f.pdf
- https://static.usrfiles.com/ugd/1b8612_fcc95b41aa3d4a20a67aa054db4c5074.pdf
- https://cdn.shopify.com/s/files/1/0437/7165/8389/files/80146046200.pdf
- https://cdn.shopify.com/s/files/1/0440/8927/8616/files/fundamentals_of_agronomy_book.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off0000649a.bin` `30df0ea95712a252cf5e29bb7b7a85967601a43165c4df26d59b5a679f73df39`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x649A	5600 bytes
`font_01_sfnt_off000077bf.bin` `201c3567b8f0797f084b625b3e9190504d1e9a102d0840dcec569680592134ae`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x77BF	10396 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.