PDF malware analysis — malicious · 9407584d18d00242

MALICIOUS

PDF

43.8 KB Created: 2020-08-17 14:53:14 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)

MD5: 63d2b219e6527fa6551bc5614ed14498 SHA-1: 7616d7525016f42ce0176a644d351df4f059d007 SHA-256: 9407584d18d00242769e5d52d6e5c2ab3cc9b102959fbfe0537373b4e4883445

120 Risk Score

Malware Insights

MITRE ATT&CK

T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF file contains a large number of embedded links, many of which point to external PDF files, suggesting a link farm for SEO manipulation or to obscure malicious content. One critical heuristic identified a link to a known malicious redirector, 'ttraff.cc', which is used in conjunction with the lure 'picsart cracked apk'. The document body, though heavily obfuscated, contains this same URL and references to cracked software, reinforcing the phishing or malware delivery pretext. The presence of numerous Shopify-hosted PDFs, while some are benign, likely serves to add legitimacy to the overall link farm.

Heuristics 3

PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK

PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM

Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://ttraff.cc/pify?keyword=picsart+cracked+apk
- http://files.tothemoonandbackrabbits.com/uploads/1/3/1/6/131607522/7503cdf.pdf
- http://gejewot.artinheavenhellonearth.com/uploads/1/3/2/8/132814930/2365231.pdf
- http://files.bc-ipse.org/uploads/1/3/1/4/131455328/vututupeko.pdf
- http://kegetadi.emerge-studios.com/uploads/1/3/1/8/131872269/maputiwuvonalave.pdf
- http://files.sprinkledco.com/uploads/1/3/0/7/130738765/bufosezim.pdf
- https://cdn.shopify.com/s/files/1/0431/1633/1172/files/2731060312.pdf
- https://cdn.shopify.com/s/files/1/0434/3640/8982/files/43126446906.pdf
- https://cdn.shopify.com/s/files/1/0431/2032/8865/files/21943659555.pdf
- https://cdn.shopify.com/s/files/1/0429/1087/5815/files/febufuxiwujebikar.pdf
- https://cdn.shopify.com/s/files/1/0435/9559/5938/files/job_application_letter_in_marathi.pdf
- https://cdn.shopify.com/s/files/1/0428/8688/9625/files/west_indies_champion_song_ringtone.pdf
- https://cdn.shopify.com/s/files/1/0438/3604/7522/files/sign_adobe_doc.pdf
- https://cdn.shopify.com/s/files/1/0437/9977/3341/files/34123292373.pdf
- https://cdn.shopify.com/s/files/1/0433/4790/2629/files/21845444704.pdf
- https://cdn.shopify.com/s/files/1/0432/1050/6404/files/65812908706.pdf
- https://cdn.shopify.com/s/files/1/0429/0061/9423/files/77464309583.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off00006ea7.bin` `3d2c644004558113fe204ecd7211626ca366ea865bdf6cd5635dc7ec1541c875`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x6EA7	5100 bytes
`font_01_sfnt_off00008002.bin` `857c91f6f534a4497cd9372dbd6a4bf69a7447b31d2c73a35a51bc363bed4de6`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x8002	9984 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.