PDF malware analysis — malicious · 8cf4743d2482288a

MALICIOUS

PDF

36.1 KB Created: 2020-08-15 00:33:22 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)

MD5: 42d57630ab8a5c54207ecc7c13009d79 SHA-1: 5aa4cfad5fa7246ee690d6c4b341207565e2406d SHA-256: 8cf4743d2482288ab8e782949195d2da288e0ab72c4571f8ddf0eaf70e781d94

128 Risk Score

Malware Insights

MITRE ATT&CK

T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF contains a link to a redirector service, which is a common technique for delivering malicious payloads. The document body, though heavily obfuscated, contains the URL 'https://ttraff.com/pify?keyword=avee+player+heart+visualizer+template' and numerous other links to external PDFs hosted on Shopify, suggesting a link farm designed to obscure the ultimate destination. The presence of a 'download button' heuristic further supports the lure-based attack pattern.

Heuristics 4

PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK

PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM

Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTON

Document contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://ttraff.com/pify?keyword=avee+player+heart+visualizer+template
- http://gurigu.katherineinezmesa.com/uploads/1/3/1/6/131636826/9144126.pdf
- http://fuwega.domicilyachthotel.com/uploads/1/3/1/4/131453109/zekomo.pdf
- http://files.forttryonviolinstudio.com/uploads/1/3/2/6/132695546/a35554248.pdf
- https://cdn.shopify.com/s/files/1/0433/0687/7080/files/tomazemajetel.pdf
- https://cdn.shopify.com/s/files/1/0432/3311/6315/files/64942220812.pdf
- https://cdn.shopify.com/s/files/1/0436/4160/2198/files/wrightsville_beach_cams.pdf
- https://cdn.shopify.com/s/files/1/0436/6244/2646/files/86532275787.pdf
- https://cdn.shopify.com/s/files/1/0432/5762/6792/files/battletech_era_report_3062.pdf
- https://cdn.shopify.com/s/files/1/0430/7868/0730/files/lurufuvenamene.pdf
- https://cdn.shopify.com/s/files/1/0435/4228/2399/files/98933331875.pdf
- https://cdn.shopify.com/s/files/1/0431/8907/6117/files/81140842099.pdf
- https://cdn.shopify.com/s/files/1/0434/2795/4840/files/kodogonasoxe.pdf
- https://cdn.shopify.com/s/files/1/0435/8415/9903/files/sins_of_a_solar_empire_rebellion_cheats.pdf
- https://cdn.shopify.com/s/files/1/0431/1869/0458/files/pobegowenimores.pdf
- https://cdn.shopify.com/s/files/1/0431/1446/3394/files/81040844142.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off00004fcf.bin` `ce68dd9b9f81a67fa830bb1c90bb90dad8806ff07b9652ca876e8d84d983eb8e`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x4FCF	5260 bytes
`font_01_sfnt_off000061a1.bin` `835654a4f18d8d5168dc071e357d329c39766f2ac561173d35d8d2e738f25d2a`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x61A1	9972 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.