PDF malware analysis — malicious · 8f2cb1520df1c837

MALICIOUS

PDF

54.9 KB Created: 2020-07-29 17:51:14 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)

MD5: 7625925217ee8ab1eed6833ef6bbb7e4 SHA-1: 885091cb73f6e294647d6c7c14ad99796df0d41c SHA-256: 8f2cb1520df1c837ff74814fc0dfc06f0529f1006bb4a142cbc85cb734490b00

120 Risk Score

Malware Insights

MITRE ATT&CK

T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF file contains numerous embedded links, with a significant portion pointing to a link farm hosted on Shopify. One critical heuristic firing indicates that a link redirects to known malicious infrastructure via 'ttraff.cc'. The document body, though heavily obfuscated, contains text suggesting it is a lure for '6th grade reading comprehension pdf'. The combination of a link farm and a malicious redirector strongly suggests a phishing or scam attempt.

Heuristics 3

PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK

PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM

Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://ttraff.cc/pify?keyword=6th+grade+reading+comprehension+pdf
- http://files.audreylewisinteriors.com/uploads/1/3/1/3/131398174/veman-papaduve.pdf
- http://files.enterthemovies.com/uploads/1/3/0/7/130739069/f03ae470.pdf
- http://files.danceswithdogstc.com/uploads/1/3/1/4/131483336/rilare_tenaz_mulojukaved_jevevovonesomad.pdf
- http://files.danceswithdogstc.com/uploads/1/3/1/4
- https://cdn.shopify.com/s/files/1/0428/8072/9251/files/fepunavotikaxikepefi.pdf
- https://cdn.shopify.com/s/files/1/0430/3477/1610/files/83763666650.pdf
- https://cdn.shopify.com/s/files/1/0429/2745/6419/files/75318610740.pdf
- https://cdn.shopify.com/s/files/1/0434/7727/0692/files/zokugizetofilubebu.pdf
- https://cdn.shopify.com/s/files/1/0433/0687/7080/files/gadawatozuwagujezudoru.pdf
- https://cdn.shopify.com/s/files/1/0428/0093/9164/files/21731274701.pdf
- https://cdn.shopify.com/s/files/1/0432/0896/6307/files/77804666005.pdf
- https://cdn.shopify.com/s/files/1/0432/2790/6206/files/kawoxiziti.pdf
- https://cdn.shopify.com/s/files/1/0430/7399/4905/files/kewivifaxofabizo.pdf
- https://cdn.shopify.com/s/files/1/0430/4951/7205/files/18874178471.pdf
- https://cdn.shopify.com/s/files/1/0431/4424/9499/files/natagip.pdf
- https://cdn.shopify.com/s/files/1/0437/4147/9066/files/bonigenigezu.pdf
- https://cdn.shopify.com/s/files/1/0430/5453/0709/files/66004668786.pdf
- https://cdn.shopify.com/s/files/1/0437/1293/8152/files/50897350195.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off000099f8.bin` `2b0c1e3eeaf510921bb8804213d351161e9a356dde45d85f8a283411d5060ad7`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x99F8	5384 bytes
`font_01_sfnt_off0000ac0d.bin` `b9be2f9e1bc1012f8d3b762d3c6115cdba9b84aa2625694c7e2f1d7327d6a431`	pdf-font-stream	PDF embedded font (sfnt) at offset 0xAC0D	10088 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.