PDF malware analysis — malicious · 88aeff7bd7d2dd9f

MALICIOUS

PDF

38.7 KB Created: 2020-08-30 07:56:44 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)

MD5: f1f097847162983fbb00f190bc4cc22c SHA-1: 8348f3793571a8c1e7de5bb502a133e9588219cc SHA-256: 88aeff7bd7d2dd9fa774e9b365d634178e2658b9d5099c87b9ee51c01667a58f

130 Risk Score

Malware Insights

MITRE ATT&CK

T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF file contains a heuristic firing for a malicious redirector link, specifically pointing to 'https://ttraff.com/wix?keyword=gone+girl+download+book+pdf'. This indicates the document is designed to trick users into clicking the link, likely under the guise of downloading a book, which then redirects to malicious infrastructure. The presence of a 'download button' heuristic further supports this social engineering tactic.

Heuristics 4

PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK

PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM

Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTON

Document contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://ttraff.com/wix?keyword=gone+girl+download+book+pdf
- https://cdn.shopify.com/s/files/1/0430/5453/0709/files/36346204544.pdf
- https://cdn.shopify.com/s/files/1/0428/2990/6079/files/40240701307.pdf
- https://cdn.shopify.com/s/files/1/0428/3544/3875/files/honda_goldwing_service_manual_free_download.pdf
- https://cdn.shopify.com/s/files/1/0429/7919/7081/files/99843163109.pdf
- https://cdn.shopify.com/s/files/1/0429/8299/8170/files/21477568336.pdf
- https://cdn.shopify.com/s/files/1/0433/7103/6835/files/kerokizumad.pdf
- https://cdn.shopify.com/s/files/1/0461/4455/3123/files/five_centuries_of_verse.pdf
- https://static.usrfiles.com/ugd/b8c837_fb6985de4f654a1cb937a6641e90bf53.pdf
- https://static.usrfiles.com/ugd/b8c837_0112073a40784c0b8b3ba496522f7bcf.pdf
- https://static.usrfiles.com/ugd/c7a620_17cb064c2dac4943b799913835320e18.pdf
- https://static.usrfiles.com/ugd/3fc21f_a5301db43aa14c2398e07ae9387500bf.pdf
- https://static.usrfiles.com/ugd/286fb8_b531ef40decc4a0594d4c5d11c4c2eee.pdf
- https://static.usrfiles.com/ugd/b8c837_8ce3de2a0dbe44b98f7ad2a3844927c0.pdf
- https://static.usrfiles.com/ugd/b8c837_37c0672c55984546a209a1b2c222cf94.pdf
- https://static.usrfiles.com/ugd/d1d005_aab23b4bcaee4a2894f3684575a8ba56.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off0000590f.bin` `72173e16ee7c4917b65f23f094036081e38e3f4a30ebca83ec7ffd9a3925bd33`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x590F	5360 bytes
`font_01_sfnt_off00006b74.bin` `b58d935c277debe8716a2ea2a8b69502c1264c7fd5c4184485d68110f0e6dec1`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x6B74	10104 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.