PDF malware analysis — malicious · 8a0b89dc5927b0a2

MALICIOUS

PDF

58.7 KB Created: 2020-08-23 16:47:25 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)

MD5: 7ad5c843877456092ac457a2568990a1 SHA-1: 9419e07ffc62f81362f7e8bc21342cb9ef4cfac3 SHA-256: 8a0b89dc5927b0a2169123d26a1711b4046f8fa18a94894c8af09eca3549e3ce

120 Risk Score

Malware Insights

MITRE ATT&CK

T1566.002 Spearphishing Attachment T1059.001 PowerShell T1204.002 Malicious Link

The PDF contains a mass of external links, with one critical heuristic identifying a link to a known malicious redirector at 'https://ttraff.com/pify?keyword=astral+chain+game+informer'. The document body, though heavily obfuscated, contains this URL, suggesting an attempt to trick users into clicking through to a malicious site. The presence of numerous benign-looking Shopify links likely serves to obscure the malicious redirector within a larger link farm.

Heuristics 3

PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK

PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM

Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://ttraff.com/pify?keyword=astral+chain+game+informer
- http://files.asbestosmasters.com/uploads/1/3/0/7/130775953/40b16be58.pdf
- http://files.mcgrewhouse.org/uploads/1/3/0/8/130874482/vulojibawapulul.pdf
- http://muwimuras.mscunningham.com/uploads/1/3/1/4/131437044/gokomonunoda_leximoxukufevu.pdf
- http://xomubixev.aspire2bfree.com/uploads/1/3/0/8/130814328/f8fec1ab743b.pdf
- https://cdn.shopify.com/s/files/1/0432/9468/7400/files/working_of_2_stroke_si_engine.pdf
- https://cdn.shopify.com/s/files/1/0435/1783/7467/files/atkins_fisicoquimica_descargar.pdf
- https://cdn.shopify.com/s/files/1/0430/9748/9572/files/63072330372.pdf
- https://cdn.shopify.com/s/files/1/0433/7916/3285/files/blessings_laura_story_chords.pdf
- https://cdn.shopify.com/s/files/1/0431/2183/6193/files/91681821693.pdf
- https://cdn.shopify.com/s/files/1/0431/2589/9421/files/anais_nin_little_birds.pdf
- https://cdn.shopify.com/s/files/1/0428/6231/3631/files/rosojudi.pdf
- https://cdn.shopify.com/s/files/1/0437/6359/7466/files/the_complete_acid_reflux_diet_plan.pdf
- https://cdn.shopify.com/s/files/1/0431/8858/4605/files/womevenoromelaliba.pdf
- https://cdn.shopify.com/s/files/1/0434/2631/6455/files/online_dictionary.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 3

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off00009885.bin` `97e021f0533b9e6537f70cf9e4e9e3937c324af6b6c4276a1bedb7cdb34bb45d`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x9885	4188 bytes
`font_01_sfnt_off0000a750.bin` `be91b973b45bb01acc8f23903bdfddd8f1fc6724e35ff3cc0d7ae7885201ba6b`	pdf-font-stream	PDF embedded font (sfnt) at offset 0xA750	5284 bytes
`font_02_sfnt_off0000b915.bin` `a007d12afc7ea10cd6219e9c6d2abd3c5b0f20e51a4b56539fb52a1eded8502c`	pdf-font-stream	PDF embedded font (sfnt) at offset 0xB915	10520 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.