PDF malware analysis — malicious · 8c62dcc81ae01447

MALICIOUS

PDF

59.1 KB Created: 2020-07-25 18:08:14 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)

MD5: 5b626e25b018c5b9d5c6ab25b4fbb6a3 SHA-1: 7aaee46fc31961764c2353a78b69df3738bc5670 SHA-256: 8c62dcc81ae01447e58734c78ec53fdc2d2e814585bee0a6c6bdee20d551ce6d

120 Risk Score

Malware Insights

MITRE ATT&CK

T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF file contains a significant number of embedded links, with one heuristic specifically identifying it as a 'PDF_MALICIOUS_REDIRECTOR_LINK' pointing to 'ttraff.com'. Another heuristic flags it as a 'PDF_SEO_LINK_FARM', indicating a large number of external links, many hosted on Shopify. The document body, though heavily corrupted, contains text related to 'Google analytics certification questions and answers 2018', suggesting a lure. The primary attack pattern involves redirecting users to potentially malicious sites through these numerous links.

Heuristics 3

PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK

PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM

Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://ttraff.com/pify?keyword=google+analytics+certification+questions+and+answers+2018
- http://files.jalascoaching.com/uploads/1/3/0/8/130873728/bibovuvogadanibazora.pdf
- http://files.theblackribbonart.com/uploads/1/3/2/3/132303181/4f1c131.pdf
- http://files.nathaliedavilaphotography.com/uploads/1/3/0/7/130738821/zedafolorajataki.pdf
- http://files.fitnessfactory1.com/uploads/1/3/0/7/130739567/3499249.pdf
- http://files.mvsutah.com/uploads/1/3/1/3/131384679/kefem_defojowa_nevuxomod_mijudo.pdf
- https://cdn.shopify.com/s/files/1/0437/2866/6785/files/33847064184.pdf
- https://cdn.shopify.com/s/files/1/0434/3519/6568/files/lekujileze.pdf
- https://cdn.shopify.com/s/files/1/0427/9628/6111/files/95233420356.pdf
- https://cdn.shopify.com/s/files/1/0428/9835/8432/files/57032902602.pdf
- https://cdn.shopify.com/s/files/1/0431/5519/4011/files/58166863811.pdf
- https://cdn.shopify.com/s/files/1/0433/6844/8152/files/susenonelukagusobalo.pdf
- https://cdn.shopify.com/s/files/1/0431/8717/5588/files/16555345337.pdf
- https://cdn.shopify.com/s/files/1/0432/2813/5591/files/febirezupelu.pdf
- https://cdn.shopify.com/s/files/1/0434/1468/3815/files/vowarufanasaduwijir.pdf
- https://cdn.shopify.com/s/files/1/0434/3876/8294/files/gizulopofo.pdf
- https://cdn.shopify.com/s/files/1/0432/3013/4427/files/ruzid.pdf
- https://cdn.shopify.com/s/files/1/0433/6461/4303/files/42847179720.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off0000a6cf.bin` `9c7dd05b15a317d1c67e7c860ec87803eaba0559ba24e9a3ade19e428a5a6740`	pdf-font-stream	PDF embedded font (sfnt) at offset 0xA6CF	5944 bytes
`font_01_sfnt_off0000bb2c.bin` `901c6f25726bc97925328647a9dfcead9ac6055ab4eb9bbe04947b7f9b91f117`	pdf-font-stream	PDF embedded font (sfnt) at offset 0xBB2C	10440 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.