PDF malware analysis — malicious · 8ed0e45ea2070e04

MALICIOUS

PDF

49.3 KB Created: 2020-08-29 17:46:37 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)

MD5: 7578d69309e1845f31eee0df3d3af02f SHA-1: 6a0dea3234348b1f18a55c737fe7e2459cb31227 SHA-256: 8ed0e45ea2070e0459a0a4cfd41913ffe6ca7c871aba0eaaaa818031a2d62217

120 Risk Score

Malware Insights

MITRE ATT&CK

T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF file contains a critical heuristic firing for a malicious redirector link, pointing to 'https://ttraff.com/wix?keyword=garrys+mod+free+play'. This URL is presented within the document body, suggesting a lure for users to download or access something, in this case, framed as 'Garrys mod free play'. The presence of numerous other PDF links, many pointing to Shopify and static.usrfiles.com, indicates a link farm strategy, likely to obscure the malicious redirector or to improve SEO for malicious content. The document itself is generated by wkhtmltopdf, a tool often used to create PDFs from web content, further supporting the idea that this PDF is a delivery mechanism for external malicious links.

Heuristics 3

PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK

PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM

Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://ttraff.com/wix?keyword=garrys+mod+free+play
- https://cdn.shopify.com/s/files/1/0431/9110/7752/files/3533756466.pdf
- https://cdn.shopify.com/s/files/1/0433/7437/9158/files/zotutubimepobakodamisumat.pdf
- https://cdn.shopify.com/s/files/1/0430/8185/9225/files/classifying_rational_and_irrational_numbers.pdf
- https://static.usrfiles.com/ugd/20d83a_648b164c8b7549b3b33e95134d915e8f.pdf
- https://static.usrfiles.com/ugd/b8c837_c2cdf11cf77d41e495478a8651f93925.pdf
- https://static.usrfiles.com/ugd/b8c837_2f63a8b367ff4b61b944d919b9c5c01a.pdf
- https://static.usrfiles.com/ugd/b8c837_3a9250ca44cf4c60bdb3ea944eda2940.pdf
- https://static.usrfiles.com/ugd/b8c837_e21ebc83e53545c0992db7a8490f7f50.pdf
- https://static.usrfiles.com/ugd/b8c837_c1b09fe3458b4864bedc3aacab44d508.pdf
- https://static.usrfiles.com/ugd/b8c837_acb820017fd2462b91ff59d1f192f457.pdf
- https://static.usrfiles.com/ugd/b8c837_d9cca24ff3784981981835209f8035c0.pdf
- https://static.usrfiles.com/ugd/b8c837_9c7878d63dee4cfcab60368b6ee8049e.pdf
- https://static.usrfiles.com/ugd/b8c837_994f233a8f7142e2aa9eb3e797c90b38.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 3

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off000068c0.bin` `c84474ed4795eb413f6db6cb9db874995fb64fc8f80f09dde4217ec15aecfc2e`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x68C0	5320 bytes
`font_01_sfnt_off00007ad4.bin` `a5ad320de66ce39c1348637c835c29afa2585b534508b06ffcd096ceb93071b8`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x7AD4	9976 bytes
`font_02_sfnt_off00009d25.bin` `1f03c5d6b64d4e223c356ffc5bc139a9c6e28cfec3b427255e6d0501c0a5c705`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x9D25	17808 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.