PDF malware analysis — malicious · 888afe3c25c5fbfa

MALICIOUS

PDF

56.8 KB Created: 2020-08-10 02:50:17 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)

MD5: 524ce336d32fb4bfb75051497c12d3db SHA-1: 58568df49fc917aa3c3ab29908b9530d99b6cccc SHA-256: 888afe3c25c5fbfae4c2a64b615cbf8214fbb86f4bb9b84aba6f69547dc27838

120 Risk Score

Malware Insights

MITRE ATT&CK

T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF contains a critical heuristic firing for a malicious redirector link, pointing to 'https://ttraff.cc/pify?keyword=arabic+numbers+1+to+10+pdf'. Additionally, another critical heuristic indicates a PDF link farm, with the first URL being 'https://cdn.shopify.com/s/files/1/0441/1247/8360/files/segomi.pdf'. The document body, though heavily obfuscated, contains references to the malicious URL. The combination of these factors strongly suggests a malicious intent to redirect users to harmful content.

Heuristics 3

PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK

PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM

Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://ttraff.cc/pify?keyword=arabic+numbers+1+to+10+pdf
- http://files.passagesandpathways.com/uploads/1/3/2/6/132695629/wufiruxinajod.pdf
- http://pozalawik.theramblingblog.com/uploads/1/3/1/3/131383544/jibugafujavojuj.pdf
- http://files.mobile-massage-sydney.com/uploads/1/3/1/4/131406749/5d4c81.pdf
- https://cdn.shopify.com/s/files/1/0441/1247/8360/files/segomi.pdf
- https://cdn.shopify.com/s/files/1/0430/3339/5353/files/wikemofagimizozatuni.pdf
- https://cdn.shopify.com/s/files/1/0432/6224/7075/files/pijorujojuw.pdf
- https://cdn.shopify.com/s/files/1/0428/9835/8432/files/test_1879eb6a-339e-4d45-a409-571cd94a4742.pdf?v=1594212285
- https://cdn.shopify.com/s/files/1/0436/3934/1216/files/prime_minister_awas_yojana_form.pdf
- https://cdn.shopify.com/s/files/1/0433/9400/7191/files/katuzadiraw.pdf
- https://cdn.shopify.com/s/files/1/0432/7522/3206/files/python_insertion_sort.pdf
- https://cdn.shopify.com/s/files/1/0429/4885/3926/files/baixar_editor_serial.pdf
- https://cdn.shopify.com/s/files/1/0437/8047/2984/files/jiketivolufirokuxogupe.pdf
- https://cdn.shopify.com/s/files/1/0438/6832/4005/files/bewipegeni.pdf
- https://cdn.shopify.com/s/files/1/0436/9983/0952/files/2090238393.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 3

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off00007fa0.bin` `0a61b4d8f7851da4f406ab4e0d3cbbe4a397ff4809e01ab3d998ac259be510a7`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x7FA0	5592 bytes
`font_01_sfnt_off00009289.bin` `4aa29688183af0f6c8e5919a5888369eb542bf4729b9317ae98f288994ce17e6`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x9289	10576 bytes
`font_02_sfnt_off0000b5a4.bin` `249433481cf80c0228470fbeb5ebc19969b82072015382de7d44d2b12a7a2991`	pdf-font-stream	PDF embedded font (sfnt) at offset 0xB5A4	19440 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.