PDF malware analysis — malicious · 8bc02b29f5645ef8

MALICIOUS

PDF

44.0 KB Created: 2020-08-05 12:58:07 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)

MD5: 6d475d6875cb3531a78d55d8b7a4be54 SHA-1: 023632713ef5d97ecee35b32a3e1c3d7ba1ac00e SHA-256: 8bc02b29f5645ef8111f8d285b3205f905d8b00c374a127e179510301c0dc6bf

120 Risk Score

Malware Insights

MITRE ATT&CK

T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF contains a link to a redirector hosted on ttraff.com, which is flagged as malicious. Additionally, the document body and embedded PDF facts indicate a large number of external links, many pointing to Shopify domains, suggesting a link farm designed to obscure the malicious redirector. The primary intent appears to be to redirect the user to malicious infrastructure via the ttraff.com URL.

Heuristics 3

PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK

PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM

Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://ttraff.com/pify?keyword=ansys+tutorial+pdf+free+download
- http://files.foundationfirsthorsemanship.com/uploads/1/3/1/3/131380345/dovexe-lulurux-wipurupogila.pdf
- http://files.tishatinsmanphotography.com/uploads/1/3/1/4/131411474/bidanoximemova.pdf
- http://files.dance4him.org/uploads/1/3/0/8/130814588/rujiz.pdf
- http://files.inured.org/uploads/1/3/1/4/131438313/94e388f07cf7.pdf
- https://cdn.shopify.com/s/files/1/0427/4218/6150/files/visuraregomixaz.pdf
- https://cdn.shopify.com/s/files/1/0433/9462/9788/files/59717013733.pdf
- https://cdn.shopify.com/s/files/1/0448/0404/6997/files/can_t_help_falling_in_love_piano_easy.pdf
- https://cdn.shopify.com/s/files/1/0437/2057/3082/files/fesezogazobafova.pdf
- https://cdn.shopify.com/s/files/1/0427/7361/0663/files/pogiwomukijeninamefogi.pdf
- https://cdn.shopify.com/s/files/1/0430/0029/9683/files/adverbios_de_modo_en_ingles.pdf
- https://cdn.shopify.com/s/files/1/0431/6528/6564/files/viliz.pdf
- https://cdn.shopify.com/s/files/1/0434/1828/8277/files/vubuzuvi.pdf
- https://cdn.shopify.com/s/files/1/0432/6191/9390/files/migile.pdf
- https://cdn.shopify.com/s/files/1/0438/3558/8770/files/jawizisiluwazemofadaxeg.pdf
- https://cdn.shopify.com/s/files/1/0431/1865/7703/files/robisofoz.pdf
- https://cdn.shopify.com/s/files/1/0429/4633/0791/files/70680498792.pdf
- https://cdn.shopify.com/s/files/1/0429/9508/9559/files/12691049807.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 3

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off0000600c.bin` `8b42de8431068281ebf36006118e0af69155d3311f57da5233f1f7cb594eb365`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x600C	5100 bytes
`font_01_sfnt_off00007185.bin` `15601849b1a6241ba282612b858a5c8898fb433844f24d5cd8dbb6fa6159b292`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x7185	10292 bytes
`font_02_sfnt_off0000948d.bin` `4fcfa7c68d76e23b667942a3ac892d2d5d88346478daafc61479ad4df4af3dd3`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x948D	4324 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.