PDF malware analysis — malicious · 918649b39227ff60

MALICIOUS

PDF

42.3 KB Created: 2020-08-01 10:04:55 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)

MD5: 3ba2d58a75c4e138891d8650bfee1ef8 SHA-1: c9ef4819f8b903bbe777f482c14edb76ca48bb90 SHA-256: 918649b39227ff600dff1412241e60708159e1a6102d27afa178db0325353ef5

120 Risk Score

Malware Insights

MITRE ATT&CK

T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF contains a mass of external links, many pointing to Shopify-hosted PDFs, designed to appear as a strategy guide. One critical heuristic firing indicates a link to a known malicious redirector at https://ttraff.com/pify?keyword=ffx+official+strategy+guide+pdf. This suggests the document is part of a link farm or SEO poisoning campaign to distribute malware or conduct phishing. No scripts were extracted from this sample.

Heuristics 3

PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK

PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM

Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://ttraff.com/pify?keyword=ffx+official+strategy+guide+pdf
- http://files.pacifictrackandfield.com/uploads/1/3/1/4/131483955/vifamenadugerug.pdf
- http://files.daniellegaffen.com/uploads/1/3/0/8/130813887/4f954b.pdf
- http://files.deanhunt.net/uploads/1/3/0/9/130969652/fobuneborasi-vedapadilija.pdf
- http://files.shsu-catholic.org/uploads/1/3/2/8/132814589/vopano_xeradebijufuzib_vedoterifikob.pdf
- http://files.clearlykana.com/uploads/1/3/0/8/130813630/ca7419b69911d03.pdf
- https://cdn.shopify.com/s/files/1/0428/7817/3343/files/tebevijibewi.pdf
- https://cdn.shopify.com/s/files/1/0440/2728/1558/files/lojipetezej.pdf
- https://cdn.shopify.com/s/files/1/0434/0023/3123/files/95589719007.pdf
- https://cdn.shopify.com/s/files/1/0433/4324/9563/files/88449597471.pdf
- https://cdn.shopify.com/s/files/1/0431/4074/3329/files/mezofabemozetoba.pdf
- https://cdn.shopify.com/s/files/1/0434/1350/4150/files/kidudivuromoxujuvuzifi.pdf
- https://cdn.shopify.com/s/files/1/0434/4047/2214/files/53566028305.pdf
- https://cdn.shopify.com/s/files/1/0428/7486/3772/files/80898684145.pdf
- https://cdn.shopify.com/s/files/1/0438/5603/5990/files/77646803335.pdf
- https://cdn.shopify.com/s/files/1/0436/1561/7182/files/20186633458.pdf
- https://cdn.shopify.com/s/files/1/0435/4369/1419/files/bejowoda.pdf
- https://cdn.shopify.com/s/files/1/0435/1849/2824/files/like_button_youtube.pdf
- https://cdn.shopify.com/s/files/1/0435/2193/3466/files/71665519049.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off00006409.bin` `0f65491be539e73bb66383ed44f71ee74166c3b27635d22663e356a1e86b12a2`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x6409	5448 bytes
`font_01_sfnt_off000076b9.bin` `6a904b269f7c3663d3b6e7128354f896aff01ba124e772d075d2f15628f9948b`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x76B9	11160 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.