PDF malware analysis — malicious · 8c736410f93e2c01

MALICIOUS

PDF

88.8 KB Created: 2020-08-12 01:05:14 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)

MD5: 58f0bf537a926aefae703ec9bd24bb1e SHA-1: 5e245d75b348977e05c7c184bcd16d7f48b27f40 SHA-256: 8c736410f93e2c011449e2cab0d9643104cb33b6e783c0bc351aabfcf594e61b

120 Risk Score

Malware Insights

MITRE ATT&CK

T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF file contains multiple embedded URLs, with a critical heuristic firing for a malicious redirector link pointing to 'ttraff.com'. Another critical heuristic indicates a PDF link farm, with the first URL being 'cdn.shopify.com/s/files/1/0437/4324/8533/files/gran_turismo_2_iso.pdf'. The document body, though heavily obfuscated, contains the malicious redirector URL. The primary attack pattern involves luring users through these links.

Heuristics 3

PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK

PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM

Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://ttraff.com/pify?keyword=basic+english+grammar+book+2+pdf+saddleback+pdf
- http://files.vcda2.com/uploads/1/3/2/6/132682030/lebepol-bitebado-sereji.pdf
- http://baxakuze.richardlfricks.com/uploads/1/3/1/6/131636612/7434595.pdf
- http://files.tacomaquakers.com/uploads/1/3/1/0/131070379/471c922ab34d.pdf
- http://files.kroottarkmeel.com/uploads/1/3/1/4/131453897/74c6e36bc54.pdf
- http://files.artofjfr.com/uploads/1/3/2/6/132696174/terizi-fofabafifedobi-toxet-vevole.pdf
- https://cdn.shopify.com/s/files/1/0437/4324/8533/files/gran_turismo_2_iso.pdf
- https://cdn.shopify.com/s/files/1/0435/8671/5805/files/61913980999.pdf
- https://cdn.shopify.com/s/files/1/0437/8089/8973/files/believer_imagine_dragons_violin_sheet_music.pdf
- https://cdn.shopify.com/s/files/1/0428/4035/9068/files/lurixanaxakomikeriro.pdf
- https://cdn.shopify.com/s/files/1/0446/9565/0457/files/61084210195.pdf
- https://cdn.shopify.com/s/files/1/0435/7577/1304/files/68557787938.pdf
- https://cdn.shopify.com/s/files/1/0432/2403/9592/files/64371151571.pdf
- https://cdn.shopify.com/s/files/1/0433/1687/1333/files/99214791765.pdf
- https://cdn.shopify.com/s/files/1/0434/1052/2277/files/powusoko.pdf
- https://cdn.shopify.com/s/files/1/0434/5197/3794/files/fatepun.pdf
- https://cdn.shopify.com/s/files/1/0428/1332/5471/files/zozida.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 3

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off00010644.bin` `738742796adfcff812726e8d46d6aa9c0beccb8a50e3f3c7424ce42dc347da83`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x10644	5956 bytes
`font_01_sfnt_off00011a4d.bin` `1e7d67f3e93474331a440d1aa617a71ead9cd368a1f3843d4926986fa9232add`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x11A4D	10532 bytes
`font_02_sfnt_off00013e44.bin` `7085ebcbef419cd70eb435494ec1b65c982ddf7909e04d5668bfc52fee2830cb`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x13E44	16656 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.