PDF malware analysis — malicious · 91510ceacfc604e9

MALICIOUS

PDF

45.8 KB Created: 2020-09-03 11:45:02 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)

MD5: fb4f4dd61a6f8794d87d38f8390cf786 SHA-1: db911cb897f969fcce6dbbfc282575632f298a90 SHA-256: 91510ceacfc604e96d6b6ebdae1eab66a1793e0d10b9b17fbe10a384b96b962a

128 Risk Score

Malware Insights

MITRE ATT&CK

T1566.002 Spearphishing Attachment T1059.001 PowerShell T1204.002 Malicious Link

The PDF contains a critical heuristic firing for a malicious redirector link pointing to 'ttraff.club', which is used in conjunction with a lure for 'apptoko mod apk terbaru'. The document also contains a PDF link farm heuristic, indicating a large number of outbound links, many of which are hosted on Shopify. The presence of the malicious redirector suggests the document's primary purpose is to lead the user to a malicious site, likely for malware distribution or phishing. No scripts were extracted from this sample.

Heuristics 4

PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK

PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM

Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
Urgency / deadline lure low SE_URGENCY_LURE

Document contains urgency or deadline language ('account will be terminated', 'action required within 24 hours', etc.) — useful context, but low-signal without other findings
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://ttraff.club/wix?keyword=apptoko+mod+apk+terbaru
- https://cdn.shopify.com/s/files/1/0441/1644/3288/files/fake_0gambling_sites.pdf
- https://cdn.shopify.com/s/files/1/0435/0813/8150/files/48605032172.pdf
- https://cdn.shopify.com/s/files/1/0430/4565/0586/files/5283207563.pdf
- https://cdn.shopify.com/s/files/1/0433/0664/7717/files/international_4300_dt466_service_manual.pdf
- https://cdn.shopify.com/s/files/1/0434/4827/1000/files/48678248882.pdf
- https://static.usrfiles.com/ugd/b8c837_8f270386712642d7ab246af03b1606e4.pdf
- https://cdn.shopify.com/s/files/1/0431/8789/6488/files/detebemugoxagazaxadaru.pdf
- https://cdn.shopify.com/s/files/1/0431/5670/1348/files/19098609629.pdf
- https://cdn.shopify.com/s/files/1/0434/5180/9942/files/88026694645.pdf
- https://static.usrfiles.com/ugd/cc3ca9_125febe9a364439b98a311e8919b17a3.pdf
- https://static.usrfiles.com/ugd/bc79a4_55f239e944574d0685293a46907c8f0a.pdf
- https://static.usrfiles.com/ugd/2813e2_b8034cd2505a472fa9bff9d87ac18601.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 3

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off000056bb.bin` `ea0e2156d901bd71e05d4f9fbc792e9f636901caebed22c87ac7637170082069`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x56BB	5088 bytes
`font_01_sfnt_off000067e9.bin` `3a08e12b38cf2a67d86156db86a577ae696ea757666cc9d73fbcfbadd10a2169`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x67E9	13912 bytes
`font_02_sfnt_off0000935c.bin` `6cdb3bbd1437208a5145cc10c87eb1537d82c4e4fe63c31ec5f63184e053b7a0`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x935C	16468 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.